vixie at isc.org
Tue Aug 10 19:34:36 UTC 2010
> From: Florian Weimer <fweimer at bfk.de>
> Date: Tue, 10 Aug 2010 09:44:58 +0000
> Such a trivial bypass would be at odds with the requirements of
> existing response policy providers. ...
> When I wrote "signed as a root zone", I was implying that the RPZ name
> suffix was stripped from the owner names prior to signature creation.
> The result should validate with the appropriate trust anchor.
if by "appropriate" you don't mean the IANA one i'd agree that it would
validate but i wouldn't agree that it was a good idea.
More information about the DNSfirewalls