Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt

Tony Finch <> Wed, 02 October 2019 12:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B4CD12006B for <>; Wed, 2 Oct 2019 05:01:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bpOP0G3b4sTr for <>; Wed, 2 Oct 2019 05:01:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6498812000F for <>; Wed, 2 Oct 2019 05:01:35 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:42698) by ( []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1iFdK0-001cOy-gq (Exim 4.92.3) (return-path <>); Wed, 02 Oct 2019 13:01:32 +0100
Date: Wed, 2 Oct 2019 13:01:31 +0100
From: Tony Finch <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-12.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Oct 2019 12:01:38 -0000

I have had another read through.

In the intro, one of the example uses for EDE is a server returning errors
because it has not finished starting up, but there is no EDE code for this

Re. EDE 0 "other", is it supposed to cover the situation when there are
multiple errors, e.g. different authoritative servers have different

Re. EDE 5 indeterminate, RFC 4035 says:

   Indeterminate: An RRset for which the resolver is not able to
      determine whether the RRset should be signed, as the resolver is
      not able to obtain the necessary DNSSEC RRs.  This can occur when
      the security-aware resolver is not able to contact security-aware
      name servers for the relevant zones.

Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG

[ I'm still not convinced "indeterminate" is a coherent validation state... ]

Re. EDE 11 no DNSKEY zone bit, why is there a special case for this and
not for DNSKEY protocol not equal to 3? Are either of these errors that
anyone has seen in the wild? (If so I would love to know how that came to

f.anthony.n.finch  <>
contribute to the process of peace and disarmament, the elimination
of world poverty, and the collective safeguarding of democracy