Viktor, Viktor Dukhovni: > On Mon, Nov 13, 2017 at 06:02:11PM -0800, Wes Hardaker wrote: > >> Tony Finch <d...@dotat.at> writes: >> >>>> It can be argued that NODATA (pseudo rcode, I know) is an "error" as >>>> well as NXDOMAIN... >>> >>> Or, neither of them are errors :-) >> >> We'll remove the restriction in any wording that says it can only be for >> errors. I think there is clear consensus to do so. > > For the record, I'm with Tony, neither NODATA nor NXDomain are DNS > lookup errors. Lack of answers may (or may not) lead to > application-level errors depending on whether the data sought was > functionally essential, but either way the DNS lookup was successful, > and returned the status of the requested RRset. > > This is, for example, important with opportunistic DANE TLS, where > actual lookup errors are potential downgrade attacks, but NODATA > and NXDomain are not lookup errors. > > And indeed unlike actual errors, there is nothing one could possibly > add in the form extended "error" diagnostics when returning a NODATA > or NXDomain response, these non-error conditions don't require any > additional context to aid problem resolution.
Be careful when you say "nothing ... possibly". ;) For example, you could have something like: RCODE: SUCCESS (NODATA) Extended code: ERRBLACKLIST Explanation: "Client blacklisted for IPv6 queries" This could be helpful for a user or operator. (Of course, it also hints that being able to add arbitrary text to an error may be useful, as including a URL with more information in the response might provide further insight. But perhaps having Google is enough that this is not necessary?) Cheers, -- Shane _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
