DNSSEC and ISPs faking DNS responses

Mark Andrews marka at isc.org
Sat Nov 14 06:32:41 UTC 2015

In message <20151114044614.GA4973 at hezmatt.org>, Matt Palmer writes:
> On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
> > So what do we do? We currently point the blocked domains to addresses of
> > a web server with a short explanation.  But what if the domains were
> > signed?  We could let validating servers return SERVFAIL.  But I'd
> > really prefer avoiding that for the simple reason that there is no way
> > to distinguish that SERVFAIL from one caused by e.g. a domain owner
> > configuration error.
> Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
> for legal reasons" with RCODE value 25.

Rcode's were expanded to 12 bits back in 1999.  See RFC 2671.
> - Matt
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list