[RPZ] Answering my own RPZ question

Jeff Chan jeffc at surbl.org
Fri Jan 6 11:28:21 UTC 2012


On Thursday, January 5, 2012, 11:20:32 AM, Paul Vixie wrote:

> no. dnssec really is a get-out-of-jail-free card for malicious domain
> names. [...]
>  so, meanwhile, we'll use this "hole" in RPZ as an incentive to get
> more dnssec signing to happen, even if the signing is by bad people
> doing bad things with bad domains.

DNSSEC signing by bad guys (like SPF usage by bad guys) is a win
for the good guys since it helps identify bad guys.  If bad guy
keys can be identified, then their keys can be repudiated by the
good guys. 

Cheers,

Jeff C.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/




More information about the DNSfirewalls mailing list