return address for failed DNSSEC validation

Gilles Massen gilles.massen at restena.lu
Thu Mar 11 14:24:45 UTC 2010


Mark Andrews wrote:

>> Obviously there are parallels to NXDOMAIN rewriting. However, the major
>> difference I see is that NXDOMAIN is a clear message, known by the OSs
>> and applications, that has basically one meaning. SERVFAIL is more like
>> 'didn't work. go figure.' And the good thing is that 'validation error
>> rewriting' could be abandoned again if DNSSEC arrives at the
>> OS/applications.
> 
> 99.9% of the time SERVFAIL means "the owner of the zone stuffed up,
> go figure".  Doing DNSSEC wrong is just another way the owner of
> the zone can stuff up.  It doesn't need special handling.

>From a purely technical point of view, I agree. However there is a
significant difference: until now SERVFAIL means "I wasn't able to
wrestle an information out of the DNS despite it's extraordinary
resilience to stupid configurations". In case of a validation error it
is rather "I don't want to show you. Not even that there was answer and
that my warnings could be ignored".

The DNS protocol is not equipped to signal that. But a resolver could
give help - with shortcomings, but still something.

Best,
Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473



More information about the bind-users mailing list