[dns-operations] Another possible .gov validation problem?
George Barwood
george.barwood at blueyonder.co.uk
Sun Feb 13 22:47:52 UTC 2011
----- Original Message -----
From: "Mark Andrews" <marka at isc.org>
> If the zone is delegated you won't get a NXDOMAIN. The zone in
> question wasn't delegated. It was just being served by the same
> set of servers as its "parent" zone.
>
> DNSSEC did its job. It prevented data that was not provably insecure
> bein accepted.
I'm wondering a bit what the most appropriate error is in this case.
My validating resolver gives ServerFail for all validation errors.
The model is
- Construct the response as if DNSSEC doesn't exist ( roughly )
- Try an validate the response, with 3 possible outcomes
- Secure
- Insecure
- Bogus ( something went wrong )
and Bogus then translates into ServerFail.
I think ServerFail is possibly a bit more informative, as it shows someting has definitely
gone wrong, whereas NameError can be a "normal" state of affairs.
So I can see arguments on both sides, but is there any important reason to favour NameError (NXDOMAIN) ?
George
More information about the dns-operations
mailing list