To:
dnssec@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Thu, 13 May 2004 11:30:01 +0200
Content-Disposition:
inline
In-Reply-To:
<40A32E65.3010804@irisa.fr>
Mail-Followup-To:
dnssec@cafax.se
Sender:
owner-dnssec@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: dnssec: resolver - application communication
[On 13 May, @10:14, David wrote in "Re: dnssec: resolver - applica ..."] > >I tend to agree that having only SERVFAIL to signal "something" is not > >enough. But I also want to ask the following: aren't we optimizing the > >least used code-path? > > > > > We play a lot with DNSSEC here and it appears that it is quite easy to > have non working > configurations. So here, SERVFAILs aren't so unusual. ok, but the word you use is 'play', when I was running the SECREG experiment never had a problem with the .nl zone. Also the delegations were also (mostly) correct. I think there is a difference between playing with DNSSEC and deploying DNSSEC. > >1) > >Either we add a NOTVAL error code to signal that "yes, we've got the > >data, and no it didn't verify". So that the thing at the other end > >might requery with CD=1 if it requires so. > > > >2) > >Or we say SERVFAIL is enough, and if you get SERVFAIL the thing at the > >other end might requery with CD=1 if it requires so. > > > > > > > For me it should be option 1. When using configuration 1, applications > can still behave as if they were in configurations 2. I have trouble parsing this, the behavior of application in both options is the same (requery with CD=1 (and maybe RD=0)) only the cause if different: SERVFAIL vs NOTVAL, grtz Miek