To:
dnssec@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Wed, 12 May 2004 22:24:40 +0200
Content-Disposition:
inline
In-Reply-To:
<14226.1084378193@marajade.sandelman.ottawa.on.ca>
Mail-Followup-To:
dnssec@cafax.se
Sender:
owner-dnssec@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: dnssec: resolver - application communication
[On 12 May, @18:09, Michael wrote in "Re: dnssec: resolver - applica ..."] > >>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes: > >> have been in the "AD bit, SERVFAIL sucks" camp for some time and > >> a voice crying for something else. I think some additional > >> RCODEs (or > > Miek> I tend to agree that having only SERVFAIL to signal > Miek> "something" is not enough. But I also want to ask the > Miek> following: aren't we optimizing the least used code-path? > > No. > > Auditing requires that I know why I trusted the positive response. > That requires a traceback even for succesful lookups. The code path > will get excersized. > > yes, this is more than DNS provides today, but nobody "trusts" DNS > today - we use IP address in our firewall rules, and populate > /etc/hosts with a small number of hosts we must always be able to resolve. so, than _your_ app does the resolving with RD=0 and CD=1 ... (having generic code and stuff that can do this would be nice, but that is IMO a different ball game) grtz Miek