[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Bill Owens owens at nysernet.org
Tue Jan 3 14:32:01 UTC 2012

On Tue, Jan 03, 2012 at 01:10:13AM +0000, Vernon Schryver wrote:
> On the contrary, RPZ can be just as effective when DNSSEC is finally
> deployed as it is today.  As I tried to say before, RPZ would be
> useless snake oil in the tradition of SPF if it could be evaded by
> bad guys signing their zones.
> DNSSEC does nothing serious to RPZ by telling clients that RPZ filtering
> has occurred.  Web pages, mail messages, and everything else are blocked
> by RPZ NOERROR or NXDOMAIN rules whether the domain name owners sign
> their records or not.  RPZ filters that redirect users to walled gardens
> will either be more obvious because of browser warnings about DNSSEC
> validation failures or they will look like NXDOMAIN or NOERROR RPZ
> rules, also with browser warnings.

I suppose that depends on the application behavior in the presence of DNSSEC signature problems; I certainly can't predict what that will be. Within the last 24 hours there's been a discussion on another list I follow, suggesting that DNSSEC-enabling software ought to detect DNSSEC failures and attempt to 'route around' them.

There doesn't seem to be much difference between this argument and the one put forth by the pro-SOPA/PROTECT-IP camp, though. If an RPZ-capable resolver behaves exactly like the proposed DNS blocking for SOPA, I'm not sure how it is possible to favor one and oppose the other. . .


More information about the DNSfirewalls mailing list