Hello, (re-sending to list)
I would like to find a solution which covers other possible failure modes than SERVFAIL, too. Looking at BIND 9.9, it sometimes can return NXDOMAIN or even NOERROR when validation fails for some obscure reasons. E.g. an attempt to invent private TLD like 'mycompany' without proper trust anchor configuration / negative trust anchor can yield NXDOMAIN answer and one line in log, but not a SERVFAIL. Similarly, an attempt to 'shadow'/'hijack' an existing domain which has DS records in the parent might result in returning NOERROR with data from the real parent while ignoring 'spoofed' data. I agree that this behavior makes sense from security stand point but it would be tremendously handy to get information that something like that happened. Maybe https://tools.ietf.org/html/draft-hunt-dns-server-diagnostics-00#section-2.2 could be relaxed to allow the server to send ESD option even in non-SERVFAIL responses? Maybe there will be other use-cases for ESD option too. E.g. GSS-TSIG errors could be accompanied with detailed error codes and/or human-readable error messages from GSS libraries and so on. GSS-TSIG is sometimes quite hard to debug so this extension could be a tremendous help! (Yes, all this may require some configurable policy to specify clients who can use ESD option.) I will be in Prague so I'm more than happy to discuss it there if there is enough interest. -- Petr Spacek @ Red Hat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
