rDNS failed, DNSSEC?

Evan Hunt each at
Tue Feb 28 18:28:54 UTC 2012

> I suppose there are different classes of failures; unfortunately on 
> the resolver, there is only one result, SERVFAIL, to cover all. It 
> would be better if there was a way to distinguish the "oops, admin 
> bungled DNSSEC" errors from the ones which are more likely to be 
> indicative of spoofing.

I'd like to see an EDNS(0) option that returns a detailed explanation
of how a SERVFAIL happened.  (I intend to write that IETF draft when
engineering work gets out of my way enough that I have time to do it.)
But it won't help until clients learn how to request that option
and do something useful with the result.

> The hardest part of that might be to decide which is which. IME the 
> one that bites us most often is that of the expired RRSIG. If we 
> could log that but go ahead and accept the data, most of the pain 
> would stop.

BIND has this: "dnssec-accept-expired yes;"  Note that it opens you
to replay attacks, but misconfigured zones are more common than replay
attacks, for now anyway.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list