bind-users March 2010 archive
Main Archive Page > Month Archives  > bind-users archives
bind-users: return address for failed DNSSEC validation

return address for failed DNSSEC validation

From: Gilles Massen <gilles.massen_at_nospam>
Date: Wed Mar 10 2010 - 21:31:14 GMT

Hello all,

If a the validation of a signed RR fails, the answer from the validating
resolver to the requestor is SERVFAIL, if I understood correctly. To the
average end user who isn't aware that DNS exists this translates to
"it's broken". Possibly even "my ISP is broken" if the neighbor's ISP
does not validate.

So wouldn't a be an interesting option to allow Bind to be configured to
return an IP address in case of failed validation (if a A/AAAA record
was queried). This would allow the provider to set up a webpage with a
small explanation on what went wrong.

The obvious limitation of this feature would be that it assumes
internet=http, even though you could go as far as set up a few services
reacting appropriately on that "fail-host". On the other hand it would
allow to lessen the fear from the unexplainable failure and return
something to a large part of the users (if only who is to blame).


Best regards,

-- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list