| draft-ietf-dnsop-extended-error-03.txt | draft-ietf-dnsop-extended-error-04.txt | |||
|---|---|---|---|---|
| Network Working Group W. Kumari | Network Working Group W. Kumari | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Intended status: Standards Track E. Hunt | Intended status: Standards Track E. Hunt | |||
| Expires: June 23, 2019 ISC | Expires: July 11, 2019 ISC | |||
| R. Arends | R. Arends | |||
| ICANN | ICANN | |||
| W. Hardaker | W. Hardaker | |||
| USC/ISI | USC/ISI | |||
| D. Lawrence | D. Lawrence | |||
| Oracle + Dyn | Oracle + Dyn | |||
| December 20, 2018 | January 07, 2019 | |||
| Extended DNS Errors | Extended DNS Errors | |||
| draft-ietf-dnsop-extended-error-03 | draft-ietf-dnsop-extended-error-04 | |||
| Abstract | Abstract | |||
| This document defines an extensible method to return additional | This document defines an extensible method to return additional | |||
| information about the cause of DNS errors. Though created primarily | information about the cause of DNS errors. Though created primarily | |||
| to extend SERVFAIL to provide additional information about the cause | to extend SERVFAIL to provide additional information about the cause | |||
| of DNS and DNSSEC failures, the Extended DNS Errors option defined in | of DNS and DNSSEC failures, the Extended DNS Errors option defined in | |||
| this document allows all response types to contain extended error | this document allows all response types to contain extended error | |||
| information. | information. | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 23, 2019. | This Internet-Draft will expire on July 11, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 26 ¶ | |||
| 1. Introduction and background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and background . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Extended Error EDNS0 option format . . . . . . . . . . . . . 3 | 2. Extended Error EDNS0 option format . . . . . . . . . . . . . 3 | |||
| 3. Use of the Extended DNS Error option . . . . . . . . . . . . 4 | 3. Use of the Extended DNS Error option . . . . . . . . . . . . 4 | |||
| 3.1. The R (Retry) flag . . . . . . . . . . . . . . . . . . . 5 | 3.1. The R (Retry) flag . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2. The RESPONSE-CODE field . . . . . . . . . . . . . . . . . 5 | 3.2. The RESPONSE-CODE field . . . . . . . . . . . . . . . . . 5 | |||
| 3.3. The INFO-CODE field . . . . . . . . . . . . . . . . . . . 5 | 3.3. The INFO-CODE field . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4. The EXTRA-TEXT field . . . . . . . . . . . . . . . . . . 5 | 3.4. The EXTRA-TEXT field . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Defined Extended DNS Errors . . . . . . . . . . . . . . . . . 5 | 4. Defined Extended DNS Errors . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. INFO-CODEs for use with RESPONSE-CODE: SERVFAIL(2) . . . 6 | 4.1. INFO-CODEs for use with RESPONSE-CODE: NOERROR(0) . . . . 6 | |||
| 4.1.1. SERVFAIL Extended DNS Error Code 1 - DNSSEC Bogus . . 6 | 4.1.1. NOERROR Extended DNS Error Code 1 - Unsupported | |||
| 4.1.2. SERVFAIL Extended DNS Error Code 2 - DNSSEC | DNSKEY Algorithm . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1.2. NOERROR Extended DNS Error Code 2 - Unsupported | ||||
| DS Algorithm . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 4.2. INFO-CODEs for use with RESPONSE-CODE: SERVFAIL(2) . . . 6 | ||||
| 4.2.1. SERVFAIL Extended DNS Error Code 1 - DNSSEC Bogus . . 6 | ||||
| 4.2.2. SERVFAIL Extended DNS Error Code 2 - DNSSEC | ||||
| Indeterminate . . . . . . . . . . . . . . . . . . . . 6 | Indeterminate . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1.3. SERVFAIL Extended DNS Error Code 3 - Signature | 4.2.3. SERVFAIL Extended DNS Error Code 3 - Signature | |||
| Expired . . . . . . . . . . . . . . . . . . . . . . . 6 | Expired . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1.4. SERVFAIL Extended DNS Error Code 4 - Signature Not | 4.2.4. SERVFAIL Extended DNS Error Code 4 - Signature Not | |||
| Yet Valid . . . . . . . . . . . . . . . . . . . . . . 6 | Yet Valid . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1.5. SERVFAIL Extended DNS Error Code 5 - Unsupported | 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing . 6 | |||
| DNSKEY Algorithm . . . . . . . . . . . . . . . . . . 6 | 4.2.6. SERVFAIL Extended DNS Error Code 6 - RRSIGs missing . 7 | |||
| 4.1.6. SERVFAIL Extended DNS Error Code 6 - Unsupported | 4.2.7. SERVFAIL Extended DNS Error Code 7 - No Zone Key Bit | |||
| DS Algorithm . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 4.1.7. SERVFAIL Extended DNS Error Code 7 - DNSKEY missing . 6 | ||||
| 4.1.8. SERVFAIL Extended DNS Error Code 8 - RRSIGs missing . 7 | ||||
| 4.1.9. SERVFAIL Extended DNS Error Code 9 - No Zone Key Bit | ||||
| Set . . . . . . . . . . . . . . . . . . . . . . . . . 7 | Set . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. INFO-CODEs for use with RESPONSE-CODE: REFUSED(5) . . . . 7 | 4.3. INFO-CODEs for use with RESPONSE-CODE: REFUSED(5) . . . . 7 | |||
| 4.2.1. REFUSED Extended DNS Error Code 1 - Lame . . . . . . 7 | 4.3.1. REFUSED Extended DNS Error Code 1 - Lame . . . . . . 7 | |||
| 4.2.2. REFUSED Extended DNS Error Code 2 - Prohibited . . . 7 | 4.3.2. REFUSED Extended DNS Error Code 2 - Prohibited . . . 7 | |||
| 4.3. INFO-CODEs for use with RESPONSE-CODE: NXDOMAIN(3) . . . 7 | 4.4. INFO-CODEs for use with RESPONSE-CODE: NXDOMAIN(3) . . . 7 | |||
| 4.3.1. NXDOMAIN Extended DNS Error Code 1 - Blocked . . . . 7 | 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked . . . . 7 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.1. new Extended Error Code EDNS Option . . . . . . . . . . . 7 | 5.1. new Extended Error Code EDNS Option . . . . . . . . . . . 7 | |||
| 5.2. New Extended Error Code EDNS Option . . . . . . . . . . . 8 | 5.2. New Extended Error Code EDNS Option . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 11 | Appendix A. Changes / Author Notes. . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| skipping to change at page 4, line 34 ¶ | skipping to change at page 4, line 34 ¶ | |||
| length of the payload (everything after OPTION-LENGTH) in octets | length of the payload (everything after OPTION-LENGTH) in octets | |||
| and should be 4 plus the length of the EXTRA-TEXT section (which | and should be 4 plus the length of the EXTRA-TEXT section (which | |||
| may be a zero-length string). | may be a zero-length string). | |||
| o The RETRY flag, 1 bit; the RETRY bit (R) indicates a flag defined | o The RETRY flag, 1 bit; the RETRY bit (R) indicates a flag defined | |||
| for use in this specification. | for use in this specification. | |||
| o The RESERVED bits, 15 bits: these bits are reserved for future | o The RESERVED bits, 15 bits: these bits are reserved for future | |||
| use, potentially as additional flags. The RESERVED bits MUST be | use, potentially as additional flags. The RESERVED bits MUST be | |||
| set to 0 by the sender and SHOULD be ignored by the receiver. | set to 0 by the sender and SHOULD be ignored by the receiver. | |||
| o RESPONSE-CODE, 4 bits. | o RESPONSE-CODE, 4 bits. | |||
| o INFO-CODE, 12-bits. | o INFO-CODE, 12-bits. | |||
| o EXTRA-TEXT, a variable length, ASCII encoded, text field that may | o EXTRA-TEXT, a variable length, UTF-8 encoded, text field that may | |||
| hold additional textual information. | hold additional textual information. | |||
| 3. Use of the Extended DNS Error option | 3. Use of the Extended DNS Error option | |||
| The Extended DNS Error (EDE) is an EDNS option. It can be included | The Extended DNS Error (EDE) is an EDNS option. It can be included | |||
| in any response (SERVFAIL, NXDOMAIN, REFUSED, etc) to a query that | in any response (SERVFAIL, NXDOMAIN, REFUSED, etc) to a query that | |||
| includes an EDNS option. This document includes a set of initial | includes an EDNS option. This document includes a set of initial | |||
| codepoints (and requests to the IANA to add them to the registry), | codepoints (and requests to the IANA to add them to the registry), | |||
| but is extensible via the IANA registry to allow additional error and | but is extensible via the IANA registry to allow additional error and | |||
| information codes to be defined in the future. | information codes to be defined in the future. | |||
| skipping to change at page 5, line 41 ¶ | skipping to change at page 5, line 41 ¶ | |||
| different RCODE. | different RCODE. | |||
| 3.3. The INFO-CODE field | 3.3. The INFO-CODE field | |||
| This 12-bit value provides the additional context for the RESPONSE- | This 12-bit value provides the additional context for the RESPONSE- | |||
| CODE value. This combination of the RESPONSE-CODE and the INFO-CODE | CODE value. This combination of the RESPONSE-CODE and the INFO-CODE | |||
| serve as a joint-index into the IANA "Extended DNS Errors" registry. | serve as a joint-index into the IANA "Extended DNS Errors" registry. | |||
| 3.4. The EXTRA-TEXT field | 3.4. The EXTRA-TEXT field | |||
| The ASCII-encoded, EXTRA-TEXT field may be zero-length, or may hold | The UTF-8-encoded, EXTRA-TEXT field may be zero-length, or may hold | |||
| additional information useful to network operators. | additional information useful to network operators. | |||
| 4. Defined Extended DNS Errors | 4. Defined Extended DNS Errors | |||
| This document defines some initial EDE codes. The mechanism is | This document defines some initial EDE codes. The mechanism is | |||
| intended to be extensible, and additional code-points can be | intended to be extensible, and additional code-points can be | |||
| registered in the "Extended DNS Errors" registry. This document | registered in the "Extended DNS Errors" registry. This document | |||
| provides suggestions for the R flag, but the originating server may | provides suggestions for the R flag, but the originating server may | |||
| ignore these recommendations if it knows better. | ignore these recommendations if it knows better. | |||
| The RESPONSE-CODE and the INFO-CODE from the EDE EDNS option is used | The RESPONSE-CODE and the INFO-CODE from the EDE EDNS option is used | |||
| to serve as a double index into the "Extended DNS Error codes" IANA | to serve as a double index into the "Extended DNS Error codes" IANA | |||
| registry, the initial values for which are defined in the following | registry, the initial values for which are defined in the following | |||
| sub-sections. | sub-sections. | |||
| 4.1. INFO-CODEs for use with RESPONSE-CODE: SERVFAIL(2) | 4.1. INFO-CODEs for use with RESPONSE-CODE: NOERROR(0) | |||
| 4.1.1. SERVFAIL Extended DNS Error Code 1 - DNSSEC Bogus | 4.1.1. NOERROR Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm | |||
| The resolver attempted to perform DNSSEC validation, but a DNSKEY | ||||
| RRSET contained only unknown algorithms. The R flag should be set. | ||||
| 4.1.2. NOERROR Extended DNS Error Code 2 - Unsupported DS Algorithm | ||||
| The resolver attempted to perform DNSSEC validation, but a DS RRSET | ||||
| contained only unknown algorithms. The R flag should be set. | ||||
| 4.2. INFO-CODEs for use with RESPONSE-CODE: SERVFAIL(2) | ||||
| 4.2.1. SERVFAIL Extended DNS Error Code 1 - DNSSEC Bogus | ||||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Bogus state. The R flag should not be set. | ended in the Bogus state. The R flag should not be set. | |||
| 4.1.2. SERVFAIL Extended DNS Error Code 2 - DNSSEC Indeterminate | 4.2.2. SERVFAIL Extended DNS Error Code 2 - DNSSEC Indeterminate | |||
| The resolver attempted to perform DNSSEC validation, but validation | The resolver attempted to perform DNSSEC validation, but validation | |||
| ended in the Indeterminate state. The R flag should not be set. | ended in the Indeterminate state. The R flag should not be set. | |||
| 4.1.3. SERVFAIL Extended DNS Error Code 3 - Signature Expired | 4.2.3. SERVFAIL Extended DNS Error Code 3 - Signature Expired | |||
| The resolver attempted to perform DNSSEC validation, but the | The resolver attempted to perform DNSSEC validation, but the | |||
| signature was expired. The R flag should not be set. | signature was expired. The R flag should not be set. | |||
| 4.1.4. SERVFAIL Extended DNS Error Code 4 - Signature Not Yet Valid | 4.2.4. SERVFAIL Extended DNS Error Code 4 - Signature Not Yet Valid | |||
| The resolver attempted to perform DNSSEC validation, but the | The resolver attempted to perform DNSSEC validation, but the | |||
| signatures received were not yet valid. The R flag should not be | signatures received were not yet valid. The R flag should not be | |||
| set. | set. | |||
| 4.1.5. SERVFAIL Extended DNS Error Code 5 - Unsupported DNSKEY | 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing | |||
| Algorithm | ||||
| The resolver attempted to perform DNSSEC validation, but a DNSKEY | ||||
| RRSET contained only unknown algorithms. The R flag should be set. | ||||
| 4.1.6. SERVFAIL Extended DNS Error Code 6 - Unsupported DS Algorithm | ||||
| The resolver attempted to perform DNSSEC validation, but a DS RRSET | ||||
| contained only unknown algorithms. The R flag should be set. | ||||
| 4.1.7. SERVFAIL Extended DNS Error Code 7 - DNSKEY missing | ||||
| A DS record existed at a parent, but no DNSKEY record could be found | A DS record existed at a parent, but no DNSKEY record could be found | |||
| for the child. The R flag should not be set. | for the child. The R flag should not be set. | |||
| 4.1.8. SERVFAIL Extended DNS Error Code 8 - RRSIGs missing | 4.2.6. SERVFAIL Extended DNS Error Code 6 - RRSIGs missing | |||
| The resolver attempted to perform DNSSEC validation, but no RRSIGs | The resolver attempted to perform DNSSEC validation, but no RRSIGs | |||
| could be found for at least one RRset where RRSIGs were expected. | could be found for at least one RRset where RRSIGs were expected. | |||
| 4.1.9. SERVFAIL Extended DNS Error Code 9 - No Zone Key Bit Set | 4.2.7. SERVFAIL Extended DNS Error Code 7 - No Zone Key Bit Set | |||
| The resolver attempted to perform DNSSEC validation, but no Zone Key | The resolver attempted to perform DNSSEC validation, but no Zone Key | |||
| Bit was set in a DNSKEY. | Bit was set in a DNSKEY. | |||
| 4.2. INFO-CODEs for use with RESPONSE-CODE: REFUSED(5) | 4.3. INFO-CODEs for use with RESPONSE-CODE: REFUSED(5) | |||
| 4.2.1. REFUSED Extended DNS Error Code 1 - Lame | 4.3.1. REFUSED Extended DNS Error Code 1 - Lame | |||
| An authoritative resolver that receives a query (with the RD bit | An authoritative resolver that receives a query (with the RD bit | |||
| clear) for a domain for which it is not authoritative SHOULD include | clear) for a domain for which it is not authoritative SHOULD include | |||
| this EDE code in the REFUSED response. Implementations should set | this EDE code in the REFUSED response. Implementations should set | |||
| the R flag in this case (another nameserver might not be lame). | the R flag in this case (another nameserver might not be lame). | |||
| 4.2.2. REFUSED Extended DNS Error Code 2 - Prohibited | 4.3.2. REFUSED Extended DNS Error Code 2 - Prohibited | |||
| An authoritative or recursive resolver that receives a query from an | An authoritative or recursive resolver that receives a query from an | |||
| "unauthorized" client can annotate its REFUSED message with this | "unauthorized" client can annotate its REFUSED message with this | |||
| code. Examples of "unauthorized" clients are recursive queries from | code. Examples of "unauthorized" clients are recursive queries from | |||
| IP addresses outside the network, blacklisted IP addresses, local | IP addresses outside the network, blacklisted IP addresses, local | |||
| policy, etc. | policy, etc. | |||
| Implementations SHOULD allow operators to define what to set the R | Implementations SHOULD allow operators to define what to set the R | |||
| flag to in this case. | flag to in this case. | |||
| 4.3. INFO-CODEs for use with RESPONSE-CODE: NXDOMAIN(3) | 4.4. INFO-CODEs for use with RESPONSE-CODE: NXDOMAIN(3) | |||
| 4.3.1. NXDOMAIN Extended DNS Error Code 1 - Blocked | 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked | |||
| The resolver attempted to perfom a DNS query but the domain is | The resolver attempted to perfom a DNS query but the domain is | |||
| blacklisted due to a security policy. The R flag should not be set. | blacklisted due to a security policy. The R flag should not be set. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| 5.1. new Extended Error Code EDNS Option | 5.1. new Extended Error Code EDNS Option | |||
| This document defines a new EDNS(0) option, entitled "Extended DNS | This document defines a new EDNS(0) option, entitled "Extended DNS | |||
| Error", assigned a value of TBD1 from the "DNS EDNS0 Option Codes | Error", assigned a value of TBD1 from the "DNS EDNS0 Option Codes | |||
| skipping to change at page 8, line 24 ¶ | skipping to change at page 8, line 24 ¶ | |||
| "Extended DNS Error codes" registry. The codepoint space for each | "Extended DNS Error codes" registry. The codepoint space for each | |||
| INFO-CODE index is to be broken into 3 ranges: | INFO-CODE index is to be broken into 3 ranges: | |||
| o 0 - 3583: Specification required. | o 0 - 3583: Specification required. | |||
| o 3584 - 3839: First Come First Served. | o 3584 - 3839: First Come First Served. | |||
| o 3840 - 4095: Experimental / Private use | o 3840 - 4095: Experimental / Private use | |||
| A starting set of entries, based on the contents of this document, is | A starting set of entries, based on the contents of this document, is | |||
| as follows: | as follows: | |||
| RESPONSE-CODE: 0 (NOERROR) | ||||
| INFO-CODE: 1 | ||||
| Purpose: Unsupported DNSKEY | ||||
| Reference: Section 4.1.1 | ||||
| RESPONSE-CODE: 0 (NOERROR) | ||||
| INFO-CODE: 2 | ||||
| Purpose: Unsupported DS Algorithm | ||||
| Reference: Section 4.1.2 | ||||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 1 | INFO-CODE: 1 | |||
| Purpose: DNSSEC Bogus | Purpose: DNSSEC Bogus | |||
| Reference: Section 4.1.1 | Reference: Section 4.2.1 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 2 | INFO-CODE: 2 | |||
| Purpose: DNSSEC Indeterminate | Purpose: DNSSEC Indeterminate | |||
| Reference: Section 4.1.2 | Reference: Section 4.2.2 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 3 | INFO-CODE: 3 | |||
| Purpose: Signature Expired | Purpose: Signature Expired | |||
| Reference: Section 4.1.3 | Reference: Section 4.2.3 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 4 | INFO-CODE: 4 | |||
| Purpose: Signature Not Yet Valid | Purpose: Signature Not Yet Valid | |||
| Reference: Section 4.1.4 | Reference: Section 4.2.4 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 5 | INFO-CODE: 5 | |||
| Purpose: Unsupported DNSKEY | ||||
| Reference: Section 4.1.5 | ||||
| RESPONSE-CODE: 2 (SERVFAIL) | ||||
| INFO-CODE: 6 | ||||
| Purpose: Unsupported DS Algorithm | ||||
| Reference: Section 4.1.6 | ||||
| RESPONSE-CODE: 2 (SERVFAIL) | ||||
| INFO-CODE: 7 | ||||
| Purpose: DNSKEY missing | Purpose: DNSKEY missing | |||
| Reference: Section 4.1.7 | Reference: Section 4.2.5 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 8 | INFO-CODE: 6 | |||
| Purpose: RRSIGs missing | Purpose: RRSIGs missing | |||
| Reference: Section 4.1.8 | Reference: Section 4.2.6 | |||
| RESPONSE-CODE: 2 (SERVFAIL) | RESPONSE-CODE: 2 (SERVFAIL) | |||
| INFO-CODE: 9 | INFO-CODE: 7 | |||
| Purpose: No Zone Key Bit Set | Purpose: No Zone Key Bit Set | |||
| Reference: Section 4.1.9 | Reference: Section 4.2.7 | |||
| RESPONSE-CODE: 3 (NXDOMAIN) | RESPONSE-CODE: 3 (NXDOMAIN) | |||
| INFO-CODE: 1 | INFO-CODE: 1 | |||
| Purpose: Blocked | Purpose: Blocked | |||
| Reference: Section 4.3.1 | Reference: Section 4.4.1 | |||
| RESPONSE-CODE: 5 (REFUSED) | RESPONSE-CODE: 5 (REFUSED) | |||
| INFO-CODE: 1 | INFO-CODE: 1 | |||
| Purpose: Lame | Purpose: Lame | |||
| Reference: Section 4.2.1 | Reference: Section 4.3.1 | |||
| RESPONSE-CODE: 5 (REFUSED) | RESPONSE-CODE: 5 (REFUSED) | |||
| INFO-CODE: 2 | INFO-CODE: 2 | |||
| Purpose: Prohibited | Purpose: Prohibited | |||
| Reference: Section 4.2.2 | Reference: Section 4.3.2 | |||
| 6. Security Considerations | 6. Security Considerations | |||
| Though DNSSEC continues to be deployed, unfortunately a significant | Though DNSSEC continues to be deployed, unfortunately a significant | |||
| number of clients (~11% according to [GeoffValidation]) that receive | number of clients (~11% according to [GeoffValidation]) that receive | |||
| a SERVFAIL from a validating resolver because of a DNSSEC validaion | a SERVFAIL from a validating resolver because of a DNSSEC validaion | |||
| issue will simply ask the next (potentially non-validating) resolver | issue will simply ask the next (potentially non-validating) resolver | |||
| in their list, and thus don't get any of the protections which DNSSEC | in their list, and thus don't get any of the protections which DNSSEC | |||
| should provide. This is very similar to a kid asking his mother if | should provide. This is very similar to a kid asking his mother if | |||
| he can have another cookie. When the mother says "No, it will ruin | he can have another cookie. When the mother says "No, it will ruin | |||
| skipping to change at page 10, line 15 ¶ | skipping to change at page 10, line 15 ¶ | |||
| mechanisms, there are some tradeoffs. As an example, an attacker who | mechanisms, there are some tradeoffs. As an example, an attacker who | |||
| is able to insert the DNSSEC Bogus Extended Error into a packet could | is able to insert the DNSSEC Bogus Extended Error into a packet could | |||
| instead simply reply with a fictitious address (A or AAAA) record. | instead simply reply with a fictitious address (A or AAAA) record. | |||
| The R bit hint and extended error information are informational - | The R bit hint and extended error information are informational - | |||
| implementations can choose how much to trust this information and | implementations can choose how much to trust this information and | |||
| validating resolvers / stubs may choose to put a different weight on | validating resolvers / stubs may choose to put a different weight on | |||
| it. | it. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| The authors wish to thank Joe Abley, Mark Andrews, Peter DeVries, | The authors wish to thank Joe Abley, Mark Andrews, Vladimir Cunat, | |||
| Peter van Dijk, Donald Eastlake, Bob Harold, Evan Hunt, Geoff Huston, | Peter DeVries, Peter van Dijk, Donald Eastlake, Bob Harold, Evan | |||
| Shane Kerr, Edward Lewis, Carlos M. Martinez, George Michelson, Petr | Hunt, Geoff Huston, Shane Kerr, Edward Lewis, Carlos M. Martinez, | |||
| Spacek, Ondrej Sury, Loganaden Velvindron, and Paul Vixie. They also | George Michelson, Petr Spacek, Ondrej Sury, Loganaden Velvindron, and | |||
| vaguely remember discussing this with a number of people over the | Paul Vixie. They also vaguely remember discussing this with a number | |||
| years, but have forgotten who all they were -- if you were one of | of people over the years, but have forgotten who all they were -- if | |||
| them, and are not listed, please let us know and we'll acknowledge | you were one of them, and are not listed, please let us know and | |||
| you. | we'll acknowledge you. | |||
| I also want to thank the band "Infected Mushroom" for providing a | I also want to thank the band "Infected Mushroom" for providing a | |||
| good background soundtrack (and to see if I can get away with this!) | good background soundtrack (and to see if I can get away with this!) | |||
| Another author would like to thank the band "Mushroom Infectors". | Another author would like to thank the band "Mushroom Infectors". | |||
| This was funny at the time we wrote it, but I cannot remember why... | This was funny at the time we wrote it, but I cannot remember why... | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| End of changes. 40 change blocks. | ||||
| 78 lines changed or deleted | 80 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||