To:
dnssec@cafax.se
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Tue, 11 May 2004 13:14:37 -0400
Sender:
owner-dnssec@cafax.se
Subject:
RE: dnssec: resolver - application communication
Duh. CD=1 has already been (re)pointed out to me, although I've still got concerns about whether someone can get "enough" of the raw data with CD set to 1. Apologies, and let me think more before I insert foot in mouth any more. Is one additional RCODE in the response to a resolver (Jim R.'s "NOTVAL") enough to completely handle Matt's #2 case and the other non-extreme cases? --Rip > -----Original Message----- > From: owner-dnssec@cafax.se [mailto:owner-dnssec@cafax.se] On > Behalf Of Loomis, Rip > Sent: Tuesday, May 11, 2004 11:42 AM > To: dnssec@cafax.se > Subject: RE: dnssec: resolver - application communication > > > Matt Larson writes: > > > It sounds like you're arguing for a richer signaling > mechanism between > > security-aware iterative-mode resolver and recursive-mode > resolver. I > > have been in the "AD bit, SERVFAIL sucks" camp for some time and a > > voice crying for something else. I think some additional RCODEs (or > > some other mechanism) to communicate DNSSEC validation status are > > necessary and inevitable. > > Hi Matt. > > I think that as a minimum the "NOTVAL" RCODE is needed. I'd actually > like to see a "RAWDATAOK" (or something) RCODE that could be used in > the request--to say "I not only want DNSSEC-relevant data, but I want > the raw data even if some of it fails your local validation, > since I may > have my own secure entry points/configured keys". > > Yes, there are potential problems, but I think that such a capability > would be useful both in the transition stages of getting DNSSEC > fielded (zones signed) and then in the subsequent notional transition > to secure stub resolvers. The alternative is requiring iterative > queries to all the upstream authoritative servers (which may be > prevented by router ACLs/topology on some networks) or else falling > back to queries without DNSSEC. > > Comments? Did I miss something in my thinking? > > > One of these days I'll just break down and write an I-D. > > I think the day where one is needed has arrived. > > --Rip >