[RPZ] marking packets modified by DNS-RPZ-policy
Florian Weimer
fweimer at bfk.de
Mon Aug 9 16:46:35 UTC 2010
* Hannes Frederic Sowa:
> I would like to propose adding a marker to dns-packets modified due to a
> dns-rpz-policy. If I compare dns-rpz to (smtp-)dnsbl or rhsbl I have some
> kind of transparency, in which who blocked what and most of the time,
> who initiated the blocking (per smtp status messages).
I think this would be implicit if the reponse is DNSSEC-signed. To
achieve this, the RPZ zone needs to be signed as a root zone, and the
records need to be copied in a replacement answer. The key tag in the
RRSIG records, combined with the signatures themselves, would then
provide sufficient information to attribute the replacement to a
particular RPZ provider.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the DNSfirewalls
mailing list