Hello and welcome to the Wednesday, September 28, 2022 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Already this week, I was playing with self-hosting a domain that supports DNS sec.

Usually I leave this up to Google or whatever registrar, but in this case, I want to

flexibility to do it myself, so while setting up the domain, enabling the new DNS features

and bind and adding the respective DS records to the registrar.

Well, I unsurprisingly ran into some problems.

I wrote a little bit about what the problems were and some of the DNS intricacies in the diary.

But here I just want to sort of highlight the key point and that's a nice find about a new DNS

feature that is at least supported by Cloudflare's DNS servers, maybe others, not sure

who exactly is using it, but I noticed it with a cloud flare.

Now, if something goes wrong with DNS, you usually get a server fail error, but there are

many different reasons why you may get that error.

So in itself, getting the error just tells you something is wrong.

It doesn't tell you what is wrong or why that

name server wasn't able to resolve that particular record. Well, RFC 8914, it's about two years old now,

introduces a new DNS option to help with that option 15. This option is added a response when you're

getting the server fail error and includes a code that tells you a little bit more about

what the exact failure is and then also a little bit of ASCII text that will explain you

why you're seeing that particular error.

In my case, well, it was pretty clear. I got the code 10, which means there were no signature

records in my zone. Now, the text actually still helped very much. I didn't find the text

...