[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Emanuele Balla (aka Skull) skull at bofhland.org
Tue Jan 3 14:58:56 UTC 2012

On 1/3/12 3:32 PM, Bill Owens wrote:

> I suppose that depends on the application behavior in the presence of
> DNSSEC signature problems; I certainly can't predict what that will
> be. Within the last 24 hours there's been a discussion on another
> list I follow, suggesting that DNSSEC-enabling software ought to
> detect DNSSEC failures and attempt to 'route around' them.
> There doesn't seem to be much difference between this argument and
> the one put forth by the pro-SOPA/PROTECT-IP camp, though. If an
> RPZ-capable resolver behaves exactly like the proposed DNS blocking
> for SOPA, I'm not sure how it is possible to favor one and oppose the
> other. . .

You're implicitly telling the list which is the main difference between
the RPZ and SOPA/PIPA and any other similar allroach in other
countries[1]: the first is a technology, the second is a policy.

Any policy (applied through RPZ or not, makes no difference) will be
effective as long as it's considered useful by the end-user, or he/she
will try to circumvent it...

And the he/she does, what will be the next move? Blocking port 53 to
non-authorized resolvers for all users?

[1] FWIW, DNS hijack on ISP resolvers imposed by LEAs has been in place
in Italy for years now, blocking (or at least trying) sites like
btjunkie. Obviously, it doesn't work:
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.

More information about the DNSfirewalls mailing list