On 11.2.2015 17:08, Evan Hunt wrote: > On Wed, Feb 11, 2015 at 03:44:31PM +0100, Pier Carlo Chiodi wrote: >>> Wild idea: Could it be solved by adding more information to SERVFAIL >>> answer? >> >> a draft was proposed with this very topic, but it's expired now: >> >> https://datatracker.ietf.org/doc/draft-hunt-dns-server-diagnostics/ > > I'd be happy to revive it, especially now that it's explicitly within > dnsop's remit. I don't recall anyone objecting to the idea; it just > wasn't high-urgency and I had other business to attend to. > > It's important that diagnostic signaling only be used for human > troubleshooting purposes and not as input to a policy decision, such > as "ignore DNSSEC failures due to expired signatures" or something, > because the diagnostic messages would be trivial to spoof.
I generally agree but the data format itself should be easy to parse: My main goal is to make diagnostics as automatic as possible. (Yes, it will be very interesting when we start considering active attacks.) In other words, I do not think we can prevent people from doing crazy things just by obscuring format of diagnostics data. I'm sure somebody will try to parse free-form string 'signature expired 1 week ago' and do some decisions from that :-) -- Petr Spacek @ Red Hat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
