[185825] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Matt Palmer)
Fri Nov 13 23:46:27 2015
X-Original-To: nanog@nanog.org
Date: Sat, 14 Nov 2015 15:46:14 +1100
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
In-Reply-To: <87y4e2mdl3.fsf@nemi.mork.no>
Errors-To: nanog-bounces@nanog.org
On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
> So what do we do? We currently point the blocked domains to addresses of
> a web server with a short explanation. But what if the domains were
> signed? We could let validating servers return SERVFAIL. But I'd
> really prefer avoiding that for the simple reason that there is no way
> to distinguish that SERVFAIL from one caused by e.g. a domain owner
> configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
for legal reasons" with RCODE value 25.
- Matt
