[RPZ] RPZ seen at MAAWG
Tim Wilde
twilde at cymru.com
Wed Oct 6 14:58:55 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/6/2010 10:54 AM, Eric Ziegast wrote:
> #### ISC does not publish any RPZ or give perception of publishing
>
> 2.2. The remainder of the zone is expressions of DNS policy.
> The owner name of a Response Policy Zone resource record set
> (RRset) is the relativised name of the domain name about which
> policy is being expressed. For example, in a policy zone called
> RPZ.ISC.ORG, an RRset at WWW.VIX.COM.RPZ.SIE.ISC.ORG would affect
> responses to lookups of WWW.VIX.COM. DNS RPZ RRset owner names
> can be wildcarded according to normal rules, for example
> *.VIX.COM.RPZ.ISC.ORG would affect responses for any subdomain of
> VIX.COM. This means that in order to affect both a domain and
> its subdomains, policy must be entered for both that domain and
> its wildcard subdomain.
>
> Let's find something else beside ISC.ORG. With Jeff's blassing, maybe
> we can use SURBL here or some other willing participant (eg: just
> RPZ.VIX.COM or some other straw-man domain).
Isn't that what example.com/net/org are reserved for?
http://tools.ietf.org/html/rfc2606#section-3
I wouldn't think we'd need to reinvent the wheel.
Neat stuff, thanks for continuing to work on this Eric!
Regards,
Tim Wilde
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkysjq8ACgkQluRbRini9tjMWgCfd+lf2yXO2cjWJgeRctq2rbYR
nTEAn1cdXm3dh+WcA0CsNNvp9dQKYdW1
=53lZ
-----END PGP SIGNATURE-----
More information about the DNSfirewalls
mailing list