[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries
Emanuele Balla (aka Skull)
skull at bofhland.org
Tue Jan 3 14:58:56 UTC 2012
On 1/3/12 3:32 PM, Bill Owens wrote:
> I suppose that depends on the application behavior in the presence of
> DNSSEC signature problems; I certainly can't predict what that will
> be. Within the last 24 hours there's been a discussion on another
> list I follow, suggesting that DNSSEC-enabling software ought to
> detect DNSSEC failures and attempt to 'route around' them.
>
> There doesn't seem to be much difference between this argument and
> the one put forth by the pro-SOPA/PROTECT-IP camp, though. If an
> RPZ-capable resolver behaves exactly like the proposed DNS blocking
> for SOPA, I'm not sure how it is possible to favor one and oppose the
> other. . .
You're implicitly telling the list which is the main difference between
the RPZ and SOPA/PIPA and any other similar allroach in other
countries[1]: the first is a technology, the second is a policy.
Any policy (applied through RPZ or not, makes no difference) will be
effective as long as it's considered useful by the end-user, or he/she
will try to circumvent it...
And the he/she does, what will be the next move? Blocking port 53 to
non-authorized resolvers for all users?
[1] FWIW, DNS hijack on ISP resolvers imposed by LEAs has been in place
in Italy for years now, blocking (or at least trying) sites like
btjunkie. Obviously, it doesn't work:
http://translate.google.it/translate?hl=it&sl=it&tl=en&u=http%3A%2F%2Fbtjunkieitalia.com
--
Paranoia is a disease unto itself. And may I add: the person standing
next to you may not be who they appear to be, so take precaution.
-----------------------------------------------------------------------------
http://bofhskull.wordpress.com/
More information about the DNSfirewalls
mailing list