[dns-operations] Improvements to EDNS compliance tester?

[Mark Andrews]

> On 25 Oct 2018, at 7:23 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
>> On Oct 24, 2018, at 4:06 PM, Mark Andrews <marka at isc.org> wrote:
>> 
>> If they are all TIMEOUT then the test has failed.
>> 
>> If they are all REFUSED then the test has failed as EDNS compliance was not met.
> 
> Sure there's a problem with name service for the domain in those
> cases, in that the domain may be configured to use nameservers that
> aren't there, or are not configured to be authoritative for the
> domain.
> 
> But, in those cases the issue may well not be the fault of the
> target nameserver, which may well be fully EDNS compliant.  Rather,
> the issue is often incorrect glue or incorrect NS records at the
> zone apex, which is more often the fault of the registrant than
> the target (non-)nameserver.
> 
> So I think that Jon Reed has a fair point about making the output
> a bit more clear.  Is it:
> 
>  * The target DNS server implements EDNS poorly
>    (server operator's fault), OR
> 
>  * The target DNS server is unreachable
>    (status unclear), OR
> 
>  * The target DNS server is not providing service for the domain
>    (generally registrant's fault)

Or the operators fault or the tester’s fault or …

The report is clear.  It reports the errors detected.  The test tools all ask for a zone that the server serves so that it can perform the test.  You can’t say that EDNS is “ok” or not without that being valid because some of the tests depend on server returning answers for a zone it serves.

> -- 
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org