nanog mailing list archives

Re: DNSSEC and ISPs faking DNS responses

From: Mark Andrews <marka () isc org>
Date: Sat, 14 Nov 2015 17:32:41 +1100


In message <20151114044614.GA4973 () hezmatt org>, Matt Palmer writes:

On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:

So what do we do? We currently point the blocked domains to addresses of
a web server with a short explanation.  But what if the domains were
signed?  We could let validating servers return SERVFAIL.  But I'd
really prefer avoiding that for the simple reason that there is no way
to distinguish that SERVFAIL from one caused by e.g. a domain owner
configuration error.


Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
for legal reasons" with RCODE value 25.


Rcode's were expanded to 12 bits back in 1999.  See RFC 2671.

- Matt

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: DNSSEC and ISPs faking DNS responses, (continued)
- - - Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Valdis . Kletnieks (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Bjørn Mork (Nov 13)
  - Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 14)