> I suppose there are different classes of failures; unfortunately on > the resolver, there is only one result, SERVFAIL, to cover all. It > would be better if there was a way to distinguish the "oops, admin > bungled DNSSEC" errors from the ones which are more likely to be > indicative of spoofing.
I'd like to see an EDNS(0) option that returns a detailed explanation of how a SERVFAIL happened. (I intend to write that IETF draft when engineering work gets out of my way enough that I have time to do it.) But it won't help until clients learn how to request that option and do something useful with the result. > The hardest part of that might be to decide which is which. IME the > one that bites us most often is that of the expired RRSIG. If we > could log that but go ahead and accept the data, most of the pain > would stop. BIND has this: "dnssec-accept-expired yes;" Note that it opens you to replay attacks, but misconfigured zones are more common than replay attacks, for now anyway. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
