[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Bill Owens owens at nysernet.org
Tue Jan 3 15:27:29 UTC 2012

On Tue, Jan 03, 2012 at 03:58:56PM +0100, Emanuele Balla (aka Skull) wrote:
> On 1/3/12 3:32 PM, Bill Owens wrote:
> > I suppose that depends on the application behavior in the presence of
> > DNSSEC signature problems; I certainly can't predict what that will
> > be. Within the last 24 hours there's been a discussion on another
> > list I follow, suggesting that DNSSEC-enabling software ought to
> > detect DNSSEC failures and attempt to 'route around' them.
> > 
> > There doesn't seem to be much difference between this argument and
> > the one put forth by the pro-SOPA/PROTECT-IP camp, though. If an
> > RPZ-capable resolver behaves exactly like the proposed DNS blocking
> > for SOPA, I'm not sure how it is possible to favor one and oppose the
> > other. . .
> You're implicitly telling the list which is the main difference between
> the RPZ and SOPA/PIPA and any other similar allroach in other
> countries[1]: the first is a technology, the second is a policy.

No, I wasn't trying to address the policy question. I think that Paul and other writers have done that handily - RPZ and SOPA have different use cases and motivations, and there are clear distinctions between them in that respect.

However, there has been a strong argument made against SOPA and other similar DNS blocking proposals on the basis that they break DNSSEC (which is absolutely true). Paul's comment on my small article from two months ago had said that RPZ did *not* break DNSSEC; I was surprised to find out that it does, at least in my testing. So my question is, speaking purely from a technical standpoint, whether that's the intended behavior of RPZ, or a bug, or a not-yet-implemented feature, or my misconfiguration.

I took that a bit further and said that if RPZ breaks DNSSEC, and SOPA breaks DNSSEC, it is difficult to argue *on that point* that one is good and the other evil. I'd rather see RPZ taking the high road, even if that means it will have limited effectiveness.

> Any policy (applied through RPZ or not, makes no difference) will be
> effective as long as it's considered useful by the end-user, or he/she
> will try to circumvent it...

Absolutely, and that point has also been made very effectively, though I don't think it has swayed the pro-SOPA side.

> And the he/she does, what will be the next move? Blocking port 53 to
> non-authorized resolvers for all users?

Perhaps, and that's just one more reason why we ought to fight against SOPA and other proposals of that ilk. No argument from me on that point!

FWIW, I clearly understand that RPZ is just another tool and that I am under no compulsion to use it - I almost certainly will not, but that doesn't mean I want to stop someone else from doing it. I'm just trying to understand how it's been implemented. . .


More information about the DNSfirewalls mailing list