[dns-operations] DNS error reporting (was: DNS at FOSDEM 2016)

Marek Vavruša marek at vavrusa.com
Tue Feb 9 11:21:35 UTC 2016


Hi,

I'd be happy to help as this is something I see as really important.
Here's what I think:

- The code system with predefined code numbers makes a lot of sense.
Personally, I would keep spaces between main error codes to make error
classification easier later. For example 1XX would be server-internal
failures (resource constraints, server-is-reloading state ...), 7XX
would be signature-related failures etc. Like HTTP error codes really.
This is what machines would like to see.

- Each code SHOULD have a free-form explanation on what actually
happened. This is what humans want to see.

- EDNS is okay, but the drawback is that diagnostic tools like
kdig/drill/dig or anything similar won't be able to interpret them and
it won't probably live through forwarder hops. I'm inclined towards
RFC4892 TXT in reserved name reporting (chaos class or not), as it's
simple, existing tools will be able to parse and display it and it's
flexible enough. Something like:

error.server. CH TXT "701"
error.server CH TXT "Signature of abcd.is expired 30 days ago."

I'll be probably implementing something along these lines in Knot Resolver.

The next question would be, how do we work with browsers and other DNS
data consumers to
improve error reporting.

Marek

On 9 February 2016 at 10:59, Petr Spacek <pspacek at redhat.com> wrote:
> On 9.2.2016 10:07, Mukund Sivaraman wrote:
>> Hi Petr
>>
>> On Tue, Feb 09, 2016 at 09:40:33AM +0100, Petr Spacek wrote:
>>>> If the browser had a better way to ask the local resolver and get a
>>>> detailed error report,
>>>> that would be awesome.
>>>
>>> Marek and anyone else, would you be willing to work with us on improving error
>>> reporting in DNS answers (not only SERVFAIL, think also about REFUSED etc.)?
>>>
>>> There were some previous attempts but for lack of time we did not move much:
>>> http://www.ietf.org/mail-archive/web/dnsop/current/msg13299.html
>>>
>>> Would you be willing to help with a draft? (And of course implement it into
>>> Knot :-)
>>
>> Have you followed up with Evan Hunt who offered to revive his draft in
>> reply to your mail?
>>
>> https://www.ietf.org/mail-archive/web/dnsop/current/msg13302.html
>
> Hmm, it seems that the conversation on the dnsop list is complete.
>
> The conversation happened around IETF 93 in Prague so I guess that the thread
> got lost in all the noise and did not continue after that.
>
> Evan, do you plan to revive the draft?
>
> I still believe that it would be very useful and I'd would be happy to review
> and/or cooperate on it.
>
> --
> Petr Spacek  @  Red Hat



More information about the dns-operations mailing list