[RPZ] DNSSEC (Was: marking packets modified by DNS-RPZ-policy)

Mike Damm mike at damm.com
Mon Aug 9 19:55:02 UTC 2010

I would like to see the proposal detail (or have Paul explain) how this 
should interact with DNSSEC.

Florian Weimer wrote:
> * Hannes Frederic Sowa:
>> I would like to propose adding a marker to dns-packets modified due to a
>> dns-rpz-policy. If I compare dns-rpz to (smtp-)dnsbl or rhsbl I have some
>> kind of transparency, in which who blocked what and most of the time,
>> who initiated the blocking (per smtp status messages).
> I think this would be implicit if the reponse is DNSSEC-signed.  To
> achieve this, the RPZ zone needs to be signed as a root zone, and the
> records need to be copied in a replacement answer.  The key tag in the
> RRSIG records, combined with the signatures themselves, would then
> provide sufficient information to attribute the replacement to a
> particular RPZ provider.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20100809/867239b6/attachment.html>

More information about the DNSfirewalls mailing list