To:
dnssec@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Wed, 12 May 2004 12:09:53 -0400
In-Reply-To:
Message from Miek Gieben <miekg@atoom.net> of "Wed, 12 May 2004 12:03:40 +0200." <20040512100340.GD10032@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes:
>> have been in the "AD bit, SERVFAIL sucks" camp for some time and
>> a voice crying for something else. I think some additional
>> RCODEs (or
Miek> I tend to agree that having only SERVFAIL to signal
Miek> "something" is not enough. But I also want to ask the
Miek> following: aren't we optimizing the least used code-path?
No.
Auditing requires that I know why I trusted the positive response.
That requires a traceback even for succesful lookups. The code path
will get excersized.
yes, this is more than DNS provides today, but nobody "trusts" DNS
today - we use IP address in our firewall rules, and populate
/etc/hosts with a small number of hosts we must always be able to resolve.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQKJMUIqHRg3pndX9AQEGKAQArpQRv9eZvWgKOwMa+Pu2VQ2TEP15pc7M
l5BzI2vjQ6qcVVnCV7Ldgs1+BZp6BN/DGpNzPlBdLw638KnFecrVcy1hHnHEt4Cs
A+W2jjVhylQ280lRsnYImc8zK2W0vEiMDXMVfR17YVz8CeRAIi0cbnD4ZMmhgze0
oFWbFinvDgU=
=pTbC
-----END PGP SIGNATURE-----