Distinguishing types of SERVFAIL
Petr Špaček
petr.spacek at nic.cz
Mon Jul 24 11:27:00 UTC 2017
On 21.7.2017 17:52, Anand Buddhdev via Unbound-users wrote:
> On 21/07/2017 17:39, Jacob Hoffman-Andrews via Unbound-users wrote:
>
> Hi Jacob,
>
>> I have another question related to SERVFAIL. Let's Encrypt tries to
>> provide the most useful error messages possible to its users. My
>> understanding is that a SERVFAIL response could indicate a variety of
>> problems, including "DNSSEC validation failed," "a remote resolver
>> failed," and "Unbound failed." Is there any way for us to distinguish
>> the DNSSEC validation failure from the other cases, so we can provide
>> that in a detailed error message to our users?
>
> If you get a SERVFAIL response, you can repeat the query with the CD
> (checking disabled) flag set. If you then get a NOERROR response, then
> it's reasonable to conclude that DNSSEC validation was the problem.
BTW there is ongoing work in IETF to introduce extended error messages
which should provide more information. You can see the proposal here:
https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error
To discuss this please join dnsop mailing list:
https://www.ietf.org/mailman/listinfo/dnsop
Early feedback from people who need additional data to complement
SERVFAIL messages is more than welcome. Please join and tell us!
--
Petr Špaček @ CZ.NIC
More information about the Unbound-users
mailing list