Florian Weimer fweimer at bfk.de
Tue Aug 10 09:44:58 UTC 2010

* Paul Vixie:

> at the moment, dnssec doesn't affect policy based results at all.  we may
> even go so far as to disable policy rewriting for RD=1 CD=1 DO=1, on the
> assumption that a downstream recursive who is using us as a forwarder, or
> a stub validator, is a big boy and can handle its own policy needs.

Such a trivial bypass would be at odds with the requirements of
existing response policy providers.  Ideally, these response policies
would even be applied to network traffic in transit.  (The purely
query-based approach allows one to answer more quickly than the
original data source, thus affecting resolver behavior without
updating the resolver configuration.  This is an important feature of
the proposal.)

> so, there will be no rrsigs or other dnssec metadata on policy based 
> responses, and we will not set the "AD" bit on such responses.  florian's
> idea about signing the RPZ zone and using its RRSIGs on policy based answer
> rrsets is *very* interesting and i'm trying to think about how it would
> work.  it would not be useful for downstream validation, since we'd be
> changing the owner name, which is covered by the signature.

When I wrote "signed as a root zone", I was implying that the RPZ name
suffix was stripped from the owner names prior to signature creation.
The result should validate with the appropriate trust anchor.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the DNSfirewalls mailing list