fweimer at bfk.de
Tue Aug 10 09:44:58 UTC 2010
* Paul Vixie:
> at the moment, dnssec doesn't affect policy based results at all. we may
> even go so far as to disable policy rewriting for RD=1 CD=1 DO=1, on the
> assumption that a downstream recursive who is using us as a forwarder, or
> a stub validator, is a big boy and can handle its own policy needs.
Such a trivial bypass would be at odds with the requirements of
existing response policy providers. Ideally, these response policies
would even be applied to network traffic in transit. (The purely
query-based approach allows one to answer more quickly than the
original data source, thus affecting resolver behavior without
updating the resolver configuration. This is an important feature of
> so, there will be no rrsigs or other dnssec metadata on policy based
> responses, and we will not set the "AD" bit on such responses. florian's
> idea about signing the RPZ zone and using its RRSIGs on policy based answer
> rrsets is *very* interesting and i'm trying to think about how it would
> work. it would not be useful for downstream validation, since we'd be
> changing the owner name, which is covered by the signature.
When I wrote "signed as a root zone", I was implying that the RPZ name
suffix was stripped from the owner names prior to signature creation.
The result should validate with the appropriate trust anchor.
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the DNSfirewalls