[RPZ] RPZ seen at MAAWG

Tim Wilde twilde at cymru.com
Wed Oct 6 14:58:55 UTC 2010

Hash: SHA1

On 10/6/2010 10:54 AM, Eric Ziegast wrote:
> #### ISC does not publish any RPZ or give perception of publishing
>  2.2. The remainder of the zone is expressions of DNS policy.
>    The owner name of a Response Policy Zone resource record set
>    (RRset) is the relativised name of the domain name about which
>    policy is being expressed.  For example, in a policy zone called
>    RPZ.ISC.ORG, an RRset at WWW.VIX.COM.RPZ.SIE.ISC.ORG would affect
>    responses to lookups of WWW.VIX.COM.  DNS RPZ RRset owner names
>    can be wildcarded according to normal rules, for example
>    *.VIX.COM.RPZ.ISC.ORG would affect responses for any subdomain of
>    VIX.COM.  This means that in order to affect both a domain and
>    its subdomains, policy must be entered for both that domain and
>    its wildcard subdomain.
> Let's find something else beside ISC.ORG.  With Jeff's blassing, maybe
> we can use SURBL here or some other willing participant (eg: just
> RPZ.VIX.COM or some other straw-man domain).

Isn't that what example.com/net/org are reserved for?


I wouldn't think we'd need to reinvent the wheel.

Neat stuff, thanks for continuing to work on this Eric!

Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the DNSfirewalls mailing list