Hi all, I made an Extended DNS Errors implementation in Unbound during the IETF104 hackathon. Implementing the code that handles the errors was rather straightforward, the difficult part is (as Stéphane already pointed out) finding the right locations in the code for the individual errors. Some remarks regarding the draft:
Since it is possible to have multiple extended error options, is it expected to return all errors that match the result, or only the most specific one? For example: if a DNSSEC signatures is expired should both the "DNSSEC bogus" (SERVFAIL/Extended error 1) and the "Signature expired" (SERVFAIL/Extended error 2) be returned? I am not sure whether linking the info code to the rcode is a good idea. Some info codes can happen for different rcodes. It is in Unbound for example possible to block a domain by sending a REFUSED rcode, while the document list blocking only for the NXDOMAIN rcode. If the rcode/info-code coupling will remain then I would like to have the same info code for a specific error under different rcodes, for example always use info-code 1 for blocking. Since EDNS is hop-by-hop, only error information from the resolver you are talking to is returned. There are cases when the interesting information is not in the first resolver. For example: if a resolver forwards queries to another one and the last one does DNSSEC validation then the resolver you are talking to does not generate the interesting information. Is it maybe an idea to add some text stating that extended error-aware resolvers should forward the received EDNS option? I think having the extra information provided by this document is useful for debugging, and only for that. This extra information should not be used to make any DNS resolving decision, which makes the retry flag a bad idea. At the moment I don't have to trust all my secondaries as long as my zone is DNSSEC signed. The worst thing they can do is not return my data or tamper with it, in which case the validating resolver will ignore it and try another nameserver. Giving a nameserver the power to instruct a resolver to not try at another nameserver gives them the power to make my zone unavailable. This completely changes the current trust model. Please remove the retry flag from the document. -- Ralph _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
