return address for failed DNSSEC validation
Gilles Massen
gilles.massen at restena.lu
Wed Mar 10 21:31:14 UTC 2010
Hello all,
If a the validation of a signed RR fails, the answer from the validating
resolver to the requestor is SERVFAIL, if I understood correctly. To the
average end user who isn't aware that DNS exists this translates to
"it's broken". Possibly even "my ISP is broken" if the neighbor's ISP
does not validate.
So wouldn't a be an interesting option to allow Bind to be configured to
return an IP address in case of failed validation (if a A/AAAA record
was queried). This would allow the provider to set up a webpage with a
small explanation on what went wrong.
The obvious limitation of this feature would be that it assumes
internet=http, even though you could go as far as set up a few services
reacting appropriately on that "fail-host". On the other hand it would
allow to lessen the fear from the unexplainable failure and return
something to a large part of the users (if only who is to blame).
Thoughts?
Best regards,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the bind-users
mailing list