Ralf Weber wrote:
No redirection on SERVFAIL seems to be a strange recommendation.
Wouldn't this be a very good reason to provide a diagnostics page,
especially if there's been a DNSSEC validation failure?
This sounds like an excellent idea to help DNSSEC adoption and
is something that should go into the draft.
then a SERVFAIL will also result in an e-mail bounce that says connection
refused instead of DNS error (assuming there's no e-mail sink on the host that
is redirected to). Fun times for the helpdesk.
I have the impression that even though it tries not to, the document still
assumes that web==internet, mentioning problems 'non-web clients' only as a
small side-effect, while imho it should be one of the main concerns (the
www-case is the easy one).
Also, I don't see how the ISP trust anchor for DNSSEC would work (not knowing
the actual zone that it is supposed to cover in advance); it might be a better
idea to simply disable all redirects on DO==1.
Then again, I am of the persuasion that messing with a core protocol on the fly
is simply asking for trouble, and disabling redirection should be top priority
for everyone.
Jelte
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
