On Sat, Nov 14, 2015 at 05:32:41PM +1100, Mark Andrews wrote:
In message <20151114044614.GA4973@hezmatt.org>, Matt Palmer writes:
On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bj�rn Mork wrote:
So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error.
Perhaps we need to expand RCODE to be the full octet, and indicate "blocked for legal reasons" with RCODE value 25.
Rcode's were expanded to 12 bits back in 1999. See RFC 2671.
I didn't feel it was worth looking beyond RFC1035 for an off-the-cuff joke. - Matt