Hello all, If a the validation of a signed RR fails, the answer from the validating resolver to the requestor is SERVFAIL, if I understood correctly. To the average end user who isn't aware that DNS exists this translates to "it's broken". Possibly even "my ISP is broken" if the neighbor's ISP does not validate.
So wouldn't a be an interesting option to allow Bind to be configured to return an IP address in case of failed validation (if a A/AAAA record was queried). This would allow the provider to set up a webpage with a small explanation on what went wrong. The obvious limitation of this feature would be that it assumes internet=http, even though you could go as far as set up a few services reacting appropriately on that "fail-host". On the other hand it would allow to lessen the fear from the unexplainable failure and return something to a large part of the users (if only who is to blame). Thoughts? Best regards, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
