[RPZ] DNSSEC (Was: marking packets modified by DNS-RPZ-policy)

Paul Vixie vixie at isc.org
Mon Aug 9 20:28:34 UTC 2010

> Date: Mon, 09 Aug 2010 12:55:02 -0700
> From: Mike Damm <mike at damm.com>
> I would like to see the proposal detail (or have Paul explain) how this
> should interact with DNSSEC.

at the moment, dnssec doesn't affect policy based results at all.  we may
even go so far as to disable policy rewriting for RD=1 CD=1 DO=1, on the
assumption that a downstream recursive who is using us as a forwarder, or
a stub validator, is a big boy and can handle its own policy needs.

so, there will be no rrsigs or other dnssec metadata on policy based 
responses, and we will not set the "AD" bit on such responses.  florian's
idea about signing the RPZ zone and using its RRSIGs on policy based answer
rrsets is *very* interesting and i'm trying to think about how it would
work.  it would not be useful for downstream validation, since we'd be
changing the owner name, which is covered by the signature.  but it would
give a key tag which would expose the identity of the RPZ who affected the
result, and i can see why that would be valuable.

More information about the DNSfirewalls mailing list