[RPZ] DNSSEC (Was: marking packets modified by DNS-RPZ-policy)
mike at damm.com
Mon Aug 9 19:55:02 UTC 2010
I would like to see the proposal detail (or have Paul explain) how this
should interact with DNSSEC.
Florian Weimer wrote:
> * Hannes Frederic Sowa:
>> I would like to propose adding a marker to dns-packets modified due to a
>> dns-rpz-policy. If I compare dns-rpz to (smtp-)dnsbl or rhsbl I have some
>> kind of transparency, in which who blocked what and most of the time,
>> who initiated the blocking (per smtp status messages).
> I think this would be implicit if the reponse is DNSSEC-signed. To
> achieve this, the RPZ zone needs to be signed as a root zone, and the
> records need to be copied in a replacement answer. The key tag in the
> RRSIG records, combined with the signatures themselves, would then
> provide sufficient information to attribute the replacement to a
> particular RPZ provider.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the DNSfirewalls