Maintained by: NLnet Labs

Distinguishing types of SERVFAIL

Petr Špaček
Mon Jul 24 13:27:00 CEST 2017



On 21.7.2017 17:52, Anand Buddhdev via Unbound-users wrote:
> On 21/07/2017 17:39, Jacob Hoffman-Andrews via Unbound-users wrote:
> 
> Hi Jacob,
> 
>> I have another question related to SERVFAIL. Let's Encrypt tries to
>> provide the most useful error messages possible to its users. My
>> understanding is that a SERVFAIL response could indicate a variety of
>> problems, including "DNSSEC validation failed," "a remote resolver
>> failed," and "Unbound failed." Is there any way for us to distinguish
>> the DNSSEC validation failure from the other cases, so we can provide
>> that in a detailed error message to our users?
> 
> If you get a SERVFAIL response, you can repeat the query with the CD
> (checking disabled) flag set. If you then get a NOERROR response, then
> it's reasonable to conclude that DNSSEC validation was the problem.

BTW there is ongoing work in IETF to introduce extended error messages
which should provide more information. You can see the proposal here:
https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error

To discuss this please join dnsop mailing list:
https://www.ietf.org/mailman/listinfo/dnsop


Early feedback from people who need additional data to complement
SERVFAIL messages is more than welcome. Please join and tell us!

-- 
Petr Špaček  @  CZ.NIC