[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Vernon Schryver vjs at rhyolite.com
Mon Jan 2 23:53:07 UTC 2012

> From: Bill Owens <owens at nysernet.org>

> A little while ago I wrote a blog article making a skeptical comparison
> between RPZ and PROTECT-IP. Paul Vixie commented on it, offering two
> points about the differences between them - the very real difference
> that one is voluntary and the other mandatory, which I completely agree
> with, and a statement that "RPZ stands aside whenever it sees a
> DNSSEC-aware client trying to access DNSSEC-signed data".

"Stands asside" is not quite right and should not be.  What good
would a security mechanism be if it were disabled when clients ask
for more security?

What happens with RPZ filtering of DNSSEC-signed data is that RPZ
rewritten results fail DNSSEC validation.  A DNSSEC checking DNS client
will get no real or DNSEC validated answers, including NOERROR or
NXDOMAIN.  DNS clients including browsers subject to RPZ filtering are
informed via DNSSEC that RPZ filtering has happened.  Try it with a
browser that checks DNSSEC, such as Firefox+DNSSEC Validator.

Thus, because it cannot hide its effects from DNSSEC, RPZ is less
objectionable than a firewall or spam filter.  How do you know that
you've failed to receive mail that a spam filter (or the secret
police filter) declared contrary someone's interest?

Contrast that with PROTECT-IP.  Never mind the gibberish of PROTECT-IP
advocates.  They simply could not get a noticable number of nonauthoritative
DNS servers to do anything about their forbidden DNS names; they'd
have to change recource records in the DNS registeries.  Bogus RRs can
be as easily signed with secret police keys as honest RRs can be signed
with the owner's keys.  With PROTECT-IP, you won't be able tell whether
the NSEC or NSEC3 validating NXDOMAIN or the DNSSEC validating A or
AAAA records have been sanitized.

Registries that tried to resist passively by not changing signatures
along with other RRs would soon be re-educated by the secret police.
If not, PROTECT-IP might do some good by increasing the deployment

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list