[RPZ] marking packets modified by DNS-RPZ-policy

Florian Weimer fweimer at bfk.de
Mon Aug 9 16:46:35 UTC 2010

* Hannes Frederic Sowa:

> I would like to propose adding a marker to dns-packets modified due to a
> dns-rpz-policy. If I compare dns-rpz to (smtp-)dnsbl or rhsbl I have some
> kind of transparency, in which who blocked what and most of the time,
> who initiated the blocking (per smtp status messages).

I think this would be implicit if the reponse is DNSSEC-signed.  To
achieve this, the RPZ zone needs to be signed as a root zone, and the
records need to be copied in a replacement answer.  The key tag in the
RRSIG records, combined with the signatures themselves, would then
provide sufficient information to attribute the replacement to a
particular RPZ provider.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the DNSfirewalls mailing list