[dns-operations] Improvements to EDNS compliance tester?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Oct 24 20:23:37 UTC 2018
> On Oct 24, 2018, at 4:06 PM, Mark Andrews <marka at isc.org> wrote:
>
> If they are all TIMEOUT then the test has failed.
>
> If they are all REFUSED then the test has failed as EDNS compliance was not met.
Sure there's a problem with name service for the domain in those
cases, in that the domain may be configured to use nameservers that
aren't there, or are not configured to be authoritative for the
domain.
But, in those cases the issue may well not be the fault of the
target nameserver, which may well be fully EDNS compliant. Rather,
the issue is often incorrect glue or incorrect NS records at the
zone apex, which is more often the fault of the registrant than
the target (non-)nameserver.
So I think that Jon Reed has a fair point about making the output
a bit more clear. Is it:
* The target DNS server implements EDNS poorly
(server operator's fault), OR
* The target DNS server is unreachable
(status unclear), OR
* The target DNS server is not providing service for the domain
(generally registrant's fault)
--
Viktor.
More information about the dns-operations
mailing list