[DNSOP] Extended errors draft
Jacob Hoffman-Andrews <jsha@eff.org> Mon, 24 July 2017 17:38 UTC
Return-Path: <jsha@eff.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D70712ECF0 for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 10:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLse--oIdW_w for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 10:38:34 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0538129B2A for <dnsop@ietf.org>; Mon, 24 Jul 2017 10:38:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=yWQxPwG0T2kv+Xce8CSgBeWtt+xmqIjlgE7AZiiv1/8=; b=C+apBWcJWFWWLw5yMPgo491CvwjHp9AYBVolEbd2YRgpy5yTds5wbmVPKm76xhL16/Qg/9TMuSrxM9zCi68DeqmPqtjC1KRPLbzXYy7Bs6FP6bje+e/owS0VN5gzQMy07abH+OKivVnqUW4xoTADYQomMGTBlXwB1Q9STqwPcFA=;
Received: ; Mon, 24 Jul 2017 10:38:33 -0700
To: dnsop@ietf.org
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <83f87b5d-1b39-bad8-5ab4-5ebb5991f57b@eff.org>
Date: Mon, 24 Jul 2017 10:38:34 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eH7mcQVJS7Id_0REAv9ZKlNwfFw>
Subject: [DNSOP] Extended errors draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 17:38:36 -0000
I asked on the Unbound mailing list if there were any ways to differentiate between DNSSEC-related SERVFAILs and other types of SERVFAILs, and was referred to the extended error draft: https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error-02. I can't speak to the implementation detail, but I can confirm that this would be a very useful thing for ACME servers (and probably CAs in general). In particular, ACME defines a number of error types, one of which is "dnssec" (DNSSEC validation failed). Right now Boulder, Let's Encrypt's ACME server, never returns that because it's hard to distinguish error types. We get a lot of support requests from people who get SERVFAILs and don't know why. If we could provide a more detailed error message to start with, the people attempting to issue certificates and getting errors would be able to help themselves more easily. I'm also somewhat in support of the extended textual error message concept. ACME provides textual error messages in addition to error types, and it's been very useful and informative.
- [DNSOP] Extended errors draft Jacob Hoffman-Andrews