To:
David Blacka <davidb@verisignlabs.com>
cc:
dnssec@cafax.se
From:
Jim Reid <jim@rfc1035.com>
Date:
Mon, 10 May 2004 16:14:56 +0100
In-Reply-To:
Message from David Blacka <davidb@verisignlabs.com> of "Mon, 10 May 2004 10:41:53 EDT." <200405101041.53316.davidb@verisignlabs.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
>>>>> "David" == David Blacka <davidb@verisignlabs.com> writes:
David> I'm not sure I agree here. Why would validating stub
David> resolvers (a term I'm using for the "application") wish to
David> talk directly to the authoritative servers?
Maybe it doesn't have a trust relationship with a full service
resolver? eg A roving user who plugs into the net at an IETF meeting.
Ok, this is a bit contrived, but it's not unrealistic.
David> You may be right in thinking that (most) applications will
David> not care about which particular validation failure
David> occurred, but SERVFAIL does _not_ indicate an attack. It
David> is so overloaded that it just indicates that some sort of
David> vaguely defined problem has occurred (e.g., a lame
David> delegation).
I agree. And if something gets a SERVFAIL, how's it supposed to figure
out if that was or wasn't caused by a validation failure?
David> A better question might be:
David> * Must (Should?) applications be able to distinguish
David> between DNSSEC related failure and other forms of failure?
This is a very good question. And the answer is yes IMO.