lists.isc.org rDNS failed, DNSSEC?
Evan Hunt
each at isc.org
Tue Feb 28 18:28:54 UTC 2012
> I suppose there are different classes of failures; unfortunately on
> the resolver, there is only one result, SERVFAIL, to cover all. It
> would be better if there was a way to distinguish the "oops, admin
> bungled DNSSEC" errors from the ones which are more likely to be
> indicative of spoofing.
I'd like to see an EDNS(0) option that returns a detailed explanation
of how a SERVFAIL happened. (I intend to write that IETF draft when
engineering work gets out of my way enough that I have time to do it.)
But it won't help until clients learn how to request that option
and do something useful with the result.
> The hardest part of that might be to decide which is which. IME the
> one that bites us most often is that of the expired RRSIG. If we
> could log that but go ahead and accept the data, most of the pain
> would stop.
BIND has this: "dnssec-accept-expired yes;" Note that it opens you
to replay attacks, but misconfigured zones are more common than replay
attacks, for now anyway.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list