[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC and ISPs faking DNS responses

Subject: DNSSEC and ISPs faking DNS responses
From: mpalmer at hezmatt.org (Matt Palmer)
Date: Sun, 15 Nov 2015 09:17:26 +1100
In-reply-to: <20151114063241.E547F3CA405A@rock.dv.isc.org>
References: <56455885.8090409@vaxination.ca> <87y4e2mdl3.fsf@nemi.mork.no> <20151114044614.GA4973@hezmatt.org> <20151114063241.E547F3CA405A@rock.dv.isc.org>

On Sat, Nov 14, 2015 at 05:32:41PM +1100, Mark Andrews wrote:
> In message <20151114044614.GA4973 at hezmatt.org>, Matt Palmer writes:
> > On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bj?rn Mork wrote:
> > > So what do we do? We currently point the blocked domains to addresses of
> > > a web server with a short explanation.  But what if the domains were
> > > signed?  We could let validating servers return SERVFAIL.  But I'd
> > > really prefer avoiding that for the simple reason that there is no way
> > > to distinguish that SERVFAIL from one caused by e.g. a domain owner
> > > configuration error.
> > 
> > Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
> > for legal reasons" with RCODE value 25.
> 
> Rcode's were expanded to 12 bits back in 1999.  See RFC 2671.

I didn't feel it was worth looking beyond RFC1035 for an off-the-cuff joke.

- Matt

References:
- DNSSEC and ISPs faking DNS responses
  - From: jfmezei_nanog at vaxination.ca (Jean-Francois Mezei)
- DNSSEC and ISPs faking DNS responses
  - From: bjorn at mork.no (Bjørn Mork)
- DNSSEC and ISPs faking DNS responses
  - From: mpalmer at hezmatt.org (Matt Palmer)
- DNSSEC and ISPs faking DNS responses
  - From: marka at isc.org (Mark Andrews)

Prev by Date: DNSSEC and ISPs faking DNS responses
Next by Date: DNSSEC and ISPs faking DNS responses
Previous by thread: DNSSEC and ISPs faking DNS responses
Next by thread: Another puck.nether.net Outage?
Index(es):
- Date
- Thread