[DNSOP] Extended errors draft

Jacob Hoffman-Andrews <jsha@eff.org> Mon, 24 July 2017 17:38 UTC

Return-Path: <jsha@eff.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D70712ECF0 for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 10:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLse--oIdW_w for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 10:38:34 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0538129B2A for <dnsop@ietf.org>; Mon, 24 Jul 2017 10:38:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=yWQxPwG0T2kv+Xce8CSgBeWtt+xmqIjlgE7AZiiv1/8=; b=C+apBWcJWFWWLw5yMPgo491CvwjHp9AYBVolEbd2YRgpy5yTds5wbmVPKm76xhL16/Qg/9TMuSrxM9zCi68DeqmPqtjC1KRPLbzXYy7Bs6FP6bje+e/owS0VN5gzQMy07abH+OKivVnqUW4xoTADYQomMGTBlXwB1Q9STqwPcFA=;
Received: ; Mon, 24 Jul 2017 10:38:33 -0700
To: dnsop@ietf.org
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <83f87b5d-1b39-bad8-5ab4-5ebb5991f57b@eff.org>
Date: Mon, 24 Jul 2017 10:38:34 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eH7mcQVJS7Id_0REAv9ZKlNwfFw>
Subject: [DNSOP] Extended errors draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 17:38:36 -0000

I asked on the Unbound mailing list if there were any ways to
differentiate between DNSSEC-related SERVFAILs and other types of
SERVFAILs, and was referred to the extended error draft:
https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error-02.

I can't speak to the implementation detail, but I can confirm that this
would be a very useful thing for ACME servers (and probably CAs in
general). In particular, ACME defines a number of error types, one of
which is "dnssec" (DNSSEC validation failed). Right now Boulder, Let's
Encrypt's ACME server, never returns that because it's hard to
distinguish error types. We get a lot of support requests from people
who get SERVFAILs and don't know why. If we could provide a more
detailed error message to start with, the people attempting to issue
certificates and getting errors would be able to help themselves more
easily.

I'm also somewhat in support of the extended textual error message
concept. ACME provides textual error messages in addition to error
types, and it's been very useful and informative.