Hello dnsop, while implementing DNSSEC validation into Fedora/RHEL distributions we face problems with debugging SERVFAILs seen by stub resolvers because different causes of SERVFAILs are indistinguishable.
Even in cases where we have access to server logs (e.g. because the validating resolver runs on the same machine as the stub resolver) we have to grep validator logs which makes the whole system validator-dependent, which is undesirable. Wild idea: Could it be solved by adding more information to SERVFAIL answer? Is there a standard which forbids adding a meta-RRs to SERVFAIL answer? How likely will it break something? What about middleboxes? I envision meta-RR with information like: - signature will be valid in xxx seconds (validator's clock is in past) - signature expired xxx seconds ago (validator's clock is in future) - signature expected but was not received (perceived downgrade attack) - locally generated SERVFAIL y/n - unspecified (upstream server did not return detailed information) - forwarder IP address/ID (when applicable) etc. dnssec-roadblock-avoidance draft contains interesting list of problems which could be reported in some way. My hope is to get enough information to distinguish cases where there is a problem with validator (clock out of sync, wrong keys etc.) or upstream cache used by validator (downgrade attack/missing EDNS suport) etc. to make debugging easier. Maybe this was discussed in the past and rejected, in that case please refer me back to archives so I can understand the reasoning. Thank you for your time! -- Petr Spacek @ Red Hat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
