Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs

Fri, 27 Sep 2019 16:44:05 -0700 

Tony Finch <d...@dotat.at> writes:

> Some questions about the intended meanings...

Thanks Tony,

Thanks for the comments.  Responses are inline below in my tracking
notes below.

14.9 DONE Tony Finch in a sub thread to Paul
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Some questions about the intended meanings...


14.9.1 DONE 3.6.  Extended DNS Error Code 5 - DNSSEC Indeterminate
------------------------------------------------------------------

  If I remember correctly, there isn't a consistent definition of what
  "indeterminate" means. Perhaps it's worth adding a reference to the
  intended definition.

  [ actually maybe all the codes could have citations to where the error
  cases are mentioned in existing specifications, perhaps with a comment
  that the citations are not intended to be exhausive ]

  + Response: good point.  I'll use a reference to 4035.  We'll have to
    collect references for the rest...  That's a good (and painful)
    idea.


14.9.2 DONE 3.5.  Extended DNS Error Code 4 - Forged Answer
-----------------------------------------------------------

  3.16.  Extended DNS Error Code 15 - Blocked 3.17.  Extended DNS Error
  Code 16 - Censored 3.19.  Extended DNS Error Code 18 - Filtered

  I don't understand the shades of meaning that these are supposed to
  distinguish.

  wrt "filtered", the description implies vaguely RPZ flavoured
  filtering, but it mentions a REFUSED RCODE which isn't what a sensible
  implementation would use for that purpose, so I am more confused.

  3.18.  Extended DNS Error Code 17 - Prohibited

  If I understand correctly, the four above are about the qname whereas
  this is about the client? The ordering is a bit confusing.

  + Response: Those three codes were supplied in a previous comment
    round and they are supposed to indicate policies being applied from
    different sources.  Can you check the new text of them to see if
    they are more understandable now?


14.9.3 DONE 3.21.  Extended DNS Error Code 20 - Lame
----------------------------------------------------

  This needs to be split into two: server doesn't know about the zone
  queried for (typically RCODE=REFUSED), and server knows about the zone
  but it has expired (typically RCODE=SERVFAIL).

  Resolvers handling RD=0 queries typically answer from cache or would
  answer REFUSED/Prohibited, I would have thought.

  + Response: I created an "Invalid Data" error code to handle this.
    Does this work for you?


-- 
Wes Hardaker
USC/ISI

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to