On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote: > So what do we do? We currently point the blocked domains to addresses of > a web server with a short explanation. But what if the domains were > signed? We could let validating servers return SERVFAIL. But I'd > really prefer avoiding that for the simple reason that there is no way > to distinguish that SERVFAIL from one caused by e.g. a domain owner > configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked for legal reasons" with RCODE value 25. - Matt