[dns-operations] DNS error codes suck, or "How do I SERVFAIL? Let me count the ways..." (was DNS at FOSDEM 2016)

Shane Kerr shane at time-travellers.org
Tue Feb 9 10:52:57 UTC 2016


At 2016-02-09 09:40:33 +0100
Petr Spacek <pspacek at redhat.com> wrote:

> > I think there is another very compelling reason to implement resolver on
> > the endpoint and that is error reporting from the resolver. DNS error responses
> > from the resolvers are a joke: spoofed DNSSEC answer - client gets SERVFAIL,
> > upstream is too slow - client gets SERVFAIL, too long CNAME chain - SERVFAIL,
> > ... what the user gets from the browser is a blank page with a generic
> > excuse and that's
> > about that. Compare to HTTP error codes and error pages, certificate
> > failures etc.
> > If the browser had a better way to ask the local resolver and get a
> > detailed error report,
> > that would be awesome.  
> Marek and anyone else, would you be willing to work with us on improving error
> reporting in DNS answers (not only SERVFAIL, think also about REFUSED etc.)?
> There were some previous attempts but for lack of time we did not move much:
> http://www.ietf.org/mail-archive/web/dnsop/current/msg13299.html
> Would you be willing to help with a draft? (And of course implement it into
> Knot :-)

Evan Hunt [Cc'd] had a draft about this a couple years ago:


Possibly this is a good starting point?



More information about the dns-operations mailing list