[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC and ISPs faking DNS responses

Subject: DNSSEC and ISPs faking DNS responses
From: mpalmer at hezmatt.org (Matt Palmer)
Date: Sat, 14 Nov 2015 15:46:14 +1100
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bj?rn Mork wrote:
> So what do we do? We currently point the blocked domains to addresses of
> a web server with a short explanation.  But what if the domains were
> signed?  We could let validating servers return SERVFAIL.  But I'd
> really prefer avoiding that for the simple reason that there is no way
> to distinguish that SERVFAIL from one caused by e.g. a domain owner
> configuration error.

Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
for legal reasons" with RCODE value 25.

- Matt

Follow-Ups:
- DNSSEC and ISPs faking DNS responses
  - From: marka at isc.org (Mark Andrews)

References:
- DNSSEC and ISPs faking DNS responses
  - From: jfmezei_nanog at vaxination.ca (Jean-Francois Mezei)
- DNSSEC and ISPs faking DNS responses
  - From: bjorn at mork.no (Bjørn Mork)

Prev by Date: DNSSEC and ISPs faking DNS responses
Next by Date: DNSSEC and ISPs faking DNS responses
Previous by thread: DNSSEC and ISPs faking DNS responses
Next by thread: DNSSEC and ISPs faking DNS responses
Index(es):
- Date
- Thread