To:
dnssec@cafax.se
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Tue, 11 May 2004 12:41:42 -0400
Sender:
owner-dnssec@cafax.se
Subject:
RE: dnssec: resolver - application communication
Matt Larson writes: > It sounds like you're arguing for a richer signaling mechanism between > security-aware iterative-mode resolver and recursive-mode resolver. I > have been in the "AD bit, SERVFAIL sucks" camp for some time and a > voice crying for something else. I think some additional RCODEs (or > some other mechanism) to communicate DNSSEC validation status are > necessary and inevitable. Hi Matt. I think that as a minimum the "NOTVAL" RCODE is needed. I'd actually like to see a "RAWDATAOK" (or something) RCODE that could be used in the request--to say "I not only want DNSSEC-relevant data, but I want the raw data even if some of it fails your local validation, since I may have my own secure entry points/configured keys". Yes, there are potential problems, but I think that such a capability would be useful both in the transition stages of getting DNSSEC fielded (zones signed) and then in the subsequent notional transition to secure stub resolvers. The alternative is requiring iterative queries to all the upstream authoritative servers (which may be prevented by router ACLs/topology on some networks) or else falling back to queries without DNSSEC. Comments? Did I miss something in my thinking? > One of these days I'll just break down and write an I-D. I think the day where one is needed has arrived. --Rip