[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Vernon Schryver vjs at rhyolite.com
Tue Jan 3 01:10:13 UTC 2012

> From: Bill Owens <owens at nysernet.org>

> > "Stands asside" is not quite right and should not be.  What good
> > would a security mechanism be if it were disabled when clients ask
> > for more security?
> That's exactly the point I was expecting to make in my yet-to-be-finished
> article. RPZ, having been written by people who actually understand
> DNS, would naturally not interfere with DNSSEC. In that way it is
> distinguished from PROTECT-IP and SOPA (and now the new French decree).
> But that also means RPZ is a short-term fix, because the deployment
> of DNSSEC is accelerating (we hope), and once enough hosts are sending
> DO=1 queries, the bad guys will only have to sign their zones in order
> to evade RPZ blocking.

On the contrary, RPZ can be just as effective when DNSSEC is finally
deployed as it is today.  As I tried to say before, RPZ would be
useless snake oil in the tradition of SPF if it could be evaded by
bad guys signing their zones.

DNSSEC does nothing serious to RPZ by telling clients that RPZ filtering
has occurred.  Web pages, mail messages, and everything else are blocked
by RPZ NOERROR or NXDOMAIN rules whether the domain name owners sign
their records or not.  RPZ filters that redirect users to walled gardens
will either be more obvious because of browser warnings about DNSSEC
validation failures or they will look like NXDOMAIN or NOERROR RPZ
rules, also with browser warnings.

The significant problem with RPZ is not DNSSEC or obvious counters by
the bad guys, but the familiar problems deploying anything like it.
You've need to get enough people using and eventually buying RPZ data
to make it worthwhile for other DNS software vendors to suppport RPZ
and for other people to generate RPZ data.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list