[RPZ] RPZ vs. bogus DNS

Paul Vixie vixie at isc.org
Sat Jul 16 03:03:01 UTC 2011

> Date: Sat, 16 Jul 2011 00:51:22 GMT
> From: vjs at rhyolite.com
> ...
> My question concerns what should happen in that example if there
> were another NS record for domain.tld that is bad in any of the
> many ways that bogusity can happen, including a name that cannot be
> resolved into an A or AAAA record.
> In other words, should a bogus authority taint or force RPZ rewriting?

no.  if in that case the name matches, then trigger on it.  if there
is no address then you won't be triggering on that.  

> When bogusity is innocent, it would be good that a single bad record
> or crazed DNS server is ignored for RPZ rewriting.  Maybe not when
> the bogusity is malign.

this is a fine question, like earlier today, for rpz-interest.

> That conflict implies that no a single answer would make all RPZ users
> happy.   So I'm wondering a rule or RRsets for rpz-nsip should match
> the missing IP address?  As in
>     rpz-nsip		CNAME    wgarden.example.com
> If too few would use that rule because of the the false positives,
> then the answer is no.

the answer is no but not for that reason.  it's because we can't handle
the support questions we'd get from those who tried to use it or wondered
if they should use it.

> I think this is unrelated to lame delegations and to the (re)validating
> discussed in http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00


> A single bad authority among valid authorities does not normally invalidate 
> a domain.


More information about the DNSfirewalls mailing list