On Mon, Sep 16, 2024 at 11:46 AM Philip Homburg <[email protected]> wrote:
> > IE, just saying "hey, by the way, I left something > > out." doesn't really let a client know what they should send more > > queries about. > > Is EDE meant to be used that way? Is EDE meant to be part of the DNS > protocol > in the sense that receiver generates more DNS requests in response to > receiving particular EDE code. > > The reason I'm asking because > 1) It seems that EDE is rather fragile. So it may be hard to build a > reliable > protocol on top of it. > 2) I'm not aware of any RFCs that specify behavior after receiving a > certain > EDE. > > I propose that we do not go there. That we define new options if a client > wants to receive some information form a server. > > And keep EDE as purely informational. > Yes, and more specifically, to quote the RFC, they aren't allowed to modify DNS protocol processing: >From Security Considerations section: "EDE information is unauthenticated information, unless secured by a form of secured DNS transaction, such as [RFC2845], [RFC2931], [RFC8094], or [RFC8484]. An attacker (e.g., a man in the middle (MITM) or malicious recursive server) could insert an extended error response into untrusted data -- although, ideally, clients and resolvers would not trust any unauthenticated information. As such, EDE content should be treated only as diagnostic information and MUST NOT alter DNS protocol processing." Shumon
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
