I have had another read through.
In the intro, one of the example uses for EDE is a server returning errors
because it has not finished starting up, but there is no EDE code for this
case.
Re. EDE 0 "other", is it supposed to cover the situation when there are
multiple errors, e.g. different authoritative servers have different
problems?
Re. EDE 5 indeterminate, RFC 4035 says:
Indeterminate: An RRset for which the resolver is not able to
determine whether the RRset should be signed, as the resolver is
not able to obtain the necessary DNSSEC RRs. This can occur when
the security-aware resolver is not able to contact security-aware
name servers for the relevant zones.
Is this not also covered by EDE 9 (DNSKEY missing) and EDE 10 (RRSIG
missing)?
[ I'm still not convinced "indeterminate" is a coherent validation state... ]
Re. EDE 11 no DNSKEY zone bit, why is there a special case for this and
not for DNSKEY protocol not equal to 3? Are either of these errors that
anyone has seen in the wild? (If so I would love to know how that came to
pass!)
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
contribute to the process of peace and disarmament, the elimination
of world poverty, and the collective safeguarding of democracy
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
