To:
miekg@atoom.net
Cc:
dnssec@cafax.se
From:
Havard Eidnes <he@uninett.no>
Date:
Thu, 13 May 2004 13:20:12 +0200 (CEST)
In-Reply-To:
<20040513093001.GB1847@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: dnssec: resolver - application communication
> > > I tend to agree that having only SERVFAIL to signal "something" > > > is not enough. But I also want to ask the following: aren't we > > > optimizing the least used code-path? > > > > We play a lot with DNSSEC here and it appears that it is quite > > easy to have non working configurations. So here, SERVFAILs aren't > > so unusual. > > ok, but the word you use is 'play', when I was running the SECREG > experiment never had a problem with the .nl zone. Also the > delegations were also (mostly) correct. I think there is a > difference between playing with DNSSEC and deploying DNSSEC. There's also a difference between being an eager early adopter (which would probably be able to dot every 'i' and cross every 't') and being among the later onrush (?) of adopters. If the present general level of consistency in the DNS at large is going to be in any way similar to the level of consistency observed in the DNSSEC-enabled part of the DNS, I would postulate that errors (of one type or another) will be all too common, and that both good error messages and good debugging tools will be appreciated by users and operators alike. Regards, - Håvard