return address for failed DNSSEC validation
imfeldma at gmail.com
imfeldma at gmail.com
Wed Mar 10 21:45:51 UTC 2010
Hi Gilles,
this question came up as well at a DNSSEC workshop I attended recently. IMHO redirecting to a website will cause similar misuse to what wildcard records have caused. One might argue a new RCODE would be the right thing but really, the SERVFAIL is actually correct. The server at the other end did actually fail by not passing DNSSEC validation. End users will get confused by this, but then there are plenty of other possibilities with and without DNS they may get confused about. I think providing help to them should be dealt with by the OS instead of bloating DNS. Upon return of any error by DNS (or any other subsystem) it can show them a useful, platform-dependent message how to fix it.
-mat
On Mar 10, 2010, at 10:31 PM, Gilles Massen wrote:
> Hello all,
>
> If a the validation of a signed RR fails, the answer from the validating
> resolver to the requestor is SERVFAIL, if I understood correctly. To the
> average end user who isn't aware that DNS exists this translates to
> "it's broken". Possibly even "my ISP is broken" if the neighbor's ISP
> does not validate.
>
> So wouldn't a be an interesting option to allow Bind to be configured to
> return an IP address in case of failed validation (if a A/AAAA record
> was queried). This would allow the provider to set up a webpage with a
> small explanation on what went wrong.
>
> The obvious limitation of this feature would be that it assumes
> internet=http, even though you could go as far as set up a few services
> reacting appropriately on that "fail-host". On the other hand it would
> allow to lessen the fear from the unexplainable failure and return
> something to a large part of the users (if only who is to blame).
>
> Thoughts?
>
>
> Best regards,
> Gilles
>
>
> --
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list