[RPZ] RPZ vs. bogus DNS

vjs at rhyolite.com vjs at rhyolite.com
Sat Jul 16 00:51:22 UTC 2011

What should happen if bad data is encountered while checking for
NSIP or NSDNAME RPZ rewriting?

A single tainted NS IP address or domain among all of the RRsets for
a domain and its parents taints (rewrites) the domain.  For example,
given a query about evil.sub.domain.tld and
    domain.tld.		NS  ns.domain.tld.
    ns.domain.tld.	A
and either of these RPZ rules:
    ns.domain.tld.rpz-nsdname	CNAME   wgarden.example.com    	CNAME   wgarden.example.com
would give an answer to the original query of 
    evil.sub.domain.tld	CNAME   wgarden.example.com

My question concerns what should happen in that example if there
were another NS record for domain.tld that is bad in any of the
many ways that bogusity can happen, including a name that cannot be
resolved into an A or AAAA record.
In other words, should a bogus authority taint or force RPZ rewriting?

When bogusity is innocent, it would be good that a single bad record
or crazed DNS server is ignored for RPZ rewriting.  Maybe not when
the bogusity is malign.

That conflict implies that no a single answer would make all RPZ users
happy.   So I'm wondering a rule or RRsets for rpz-nsip should match
the missing IP address?  As in
    rpz-nsip		CNAME    wgarden.example.com

If too few would use that rule because of the the false positives,
then the answer is no.

I think this is unrelated to lame delegations and to the (re)validating
discussed in http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00
A single bad authority among valid authorities does not normally invalidate 
a domain.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list