[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Vernon Schryver vjs at rhyolite.com
Tue Jan 3 15:43:49 UTC 2012

> From: Bill Owens <owens at nysernet.org>

> I suppose that depends on the application behavior in the presence
> of DNSSEC signature problems; I certainly can't predict what that will
> be. Within the last 24 hours there's been a discussion on another list
> I follow, suggesting that DNSSEC-enabling software ought to detect
> DNSSEC failures and attempt to 'route around' them.

That makes as little sense to me as saying that firewalls are useless
because they can be turned off.  The primary beneficiary of RPZ
filtering is the owner of the system subject to RPZ filtering.  Why
waste time trying to use what you consider a broken DNS server when
others are easily configured?  Instead of using software that tries
other resolvers after an RPZ caused DNSSEC failure, system users
who object to RPZ would simply configure their systems to use DNS
resolvers that don't do RPZ filtering.

> There doesn't seem to be much difference between this argument and
> the one put forth by the pro-SOPA/PROTECT-IP camp, though. If an
> RPZ-capable resolver behaves exactly like the proposed DNS blocking
> for SOPA, I'm not sure how it is possible to favor one and oppose the
> other. . .

RPZ is for the benefit of the system owner while SOPA/PROTECT-IP is
for the benefit of third parties including the RIAA/MPAA/etc., consumers
ISP trying to monetize their user DNS and HTTP traffic, and the secret
police.  Should SOPA/PROTECT-IP be passed or governments try to mandate
the use of RPZ to benefit those same third parties (e.g. block port
53), and if the filtering is *not* done in authoritative servers (i.e.
registries), then "file sharing" related applications will appear that
tunnel their necessary DNS requests to unfiltered DNS servers.

The mechanisms used by bad guys to keep their botnets connected and
controlled work pretty well without the active and knowing cooperation
of the owners of infected systems.  They'd work quite well if system
users would configure new seed command-and control IP addresses as

To say that in different words, I've done the obvious and configured
a VPN over port 443 so that my traveling computer can reach my
DNSSEC and RPZ aware resolver at home instead of the stupid (or evil)
DNS resolvers pushed through DHCP by hotels, ISPs, etc.

That's why I said that SOPA/PROTECT-IP would be done in the registries.
Even the RIAA/MPAA/etc. are smart enough to eventually notice their
need to filter on authoritative servers, and so eventually attack
the registries, including the roots.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list