On 2/14/19 12:51 PM, Stephane Bortzmeyer wrote: > On Mon, Jan 07, 2019 at 12:30:10PM -0800, > internet-dra...@ietf.org <internet-dra...@ietf.org> wrote > a message of 44 lines which said: > >> Title : Extended DNS Errors >> Authors : Warren Kumari >> Evan Hunt >> Roy Arends >> Wes Hardaker >> David C Lawrence >> Filename : draft-ietf-dnsop-extended-error-04.txt >
>> 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing >> >> A DS record existed at a parent, but no DNSKEY record could be found >> for the child. > > I suggest to replace "no DNSKEY record could be found for the child" > by "no DNSKEY record for this specific key could be found for the > child". > > Rationale : the current text seems to imply this code is only when > there is no DNSKEY at all. I disagree. There are going to be cases where DS and DNSKEY are not fully in sync due to key rollovers, prestaging, etc. This is not a fatal error. So long as one DS matches one (supported) DNSKEY, the domain is resolvable, and is not a SERVFAIL. It is only SERVFAIL if *no* DS match useable keys. I would suggest "No supported matching DNSKEY record could be found for the child" -- Michael Sheldon Dev-DNS Services GoDaddy.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop