[RPZ] Answering my own RPZ question

Jeff Chan jeffc at surbl.org
Fri Jan 6 11:28:21 UTC 2012

On Thursday, January 5, 2012, 11:20:32 AM, Paul Vixie wrote:

> no. dnssec really is a get-out-of-jail-free card for malicious domain
> names. [...]
>  so, meanwhile, we'll use this "hole" in RPZ as an incentive to get
> more dnssec signing to happen, even if the signing is by bad people
> doing bad things with bad domains.

DNSSEC signing by bad guys (like SPF usage by bad guys) is a win
for the good guys since it helps identify bad guys.  If bad guy
keys can be identified, then their keys can be repudiated by the
good guys. 


Jeff C.
Jeff Chan
mailto:jeffc at surbl.org

More information about the DNSfirewalls mailing list