SERVFAIL is often taken as a signal to try other servers for the
delegation point or some other recursive server. when recursive server
policy has trampled an answer, it is meant to be about the data, not the
server. so SERVFAIL is both operationally and syntactically wrong here.
as an example, DNS RPZ will be default pass through any DNSSEC-signed
response, but it can be overridden with an option called "break dnssec"
or similar. neither passing it through or breaking the signatures is
desirable, but we kicked that can down the road.
in the years since DNS RPZ was made, i've realized that authoritarian
network operators including authoritarian national governments are not
well served by DNS RPZ in its current form. what we (and they) need is a
way to include the original answer and also a server-level signature on
the policy-trampled answer. this way we (and they) can watch what the
stub does next -- which answer it consumes -- and therefore know whether
the policy (or the law) is being abrogated, so as to trigger an
enforcement action.
probably this just means packing the original answer and the policy
signature into EDNS in some way. but the response itself will have to
have the policy-trampled answer and rcode (likely NXDOMAIN but not always.)
vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
