[185827] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Mark Andrews)
Sat Nov 14 01:32:53 2015
X-Original-To: nanog@nanog.org
To: Matt Palmer <mpalmer@hezmatt.org>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Sat, 14 Nov 2015 15:46:14 +1100."
<20151114044614.GA4973@hezmatt.org>
Date: Sat, 14 Nov 2015 17:32:41 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <20151114044614.GA4973@hezmatt.org>, Matt Palmer writes:
> On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
> > So what do we do? We currently point the blocked domains to addresses of
> > a web server with a short explanation. But what if the domains were
> > signed? We could let validating servers return SERVFAIL. But I'd
> > really prefer avoiding that for the simple reason that there is no way
> > to distinguish that SERVFAIL from one caused by e.g. a domain owner
> > configuration error.
>
> Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
> for legal reasons" with RCODE value 25.
Rcode's were expanded to 12 bits back in 1999. See RFC 2671.
> - Matt
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
