On Sat, Jul 29, 2017 at 10:04:06AM -0400, Joe Abley wrote: > If client behaviour is not supposed to change when you return > an extended RCODE, why bother returning one?
It's clearly helpful for human debugging. But, yes, you're correct -- diagnostic information included with a SERVFAIL is about as trustworthy as the AD bit, and in the absence of an authentication mechanism such as TSIG, clients should not rely on it or base policy on it. Some of the error codes might be trustworthy enough if you're using COOKIE or TCP; that would enusre at least that it wasn't an off-path forgery. The ones related to validation I wouldn't trust without a signature, though. This should be spelled out in more detail in the security considerations. (And, considering I'm listed as a co-author on this draft, maybe it's time I earn my keep and submit some text...) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
