[dns-operations] Another possible .gov validation problem?

George Barwood george.barwood at blueyonder.co.uk
Sun Feb 13 22:47:52 UTC 2011

----- Original Message ----- 
From: "Mark Andrews" <marka at isc.org>
> If the zone is delegated you won't get a NXDOMAIN.  The zone in
> question wasn't delegated.  It was just being served by the same
> set of servers as its "parent" zone.
> DNSSEC did its job.  It prevented data that was not provably insecure
> bein accepted.

I'm wondering a bit what the most appropriate error is in this case.

My validating resolver gives ServerFail for all validation errors.

The model is
  - Construct the response as if DNSSEC doesn't exist ( roughly )
  - Try an validate the response, with 3 possible outcomes
    - Secure
    - Insecure
    - Bogus ( something went wrong )
and Bogus then translates into ServerFail.

I think ServerFail is possibly a bit more informative,  as it shows someting has definitely
gone wrong, whereas NameError can be a "normal" state of affairs.

So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?


More information about the dns-operations mailing list