[RPZ] Answering my own RPZ question

Emanuele Balla (aka Skull) skull at bofhland.org
Fri Jan 6 13:18:10 UTC 2012


On 1/6/12 12:28 PM, Jeff Chan wrote:
> On Thursday, January 5, 2012, 11:20:32 AM, Paul Vixie wrote:
> 
>> no. dnssec really is a get-out-of-jail-free card for malicious domain
>> names. [...]
>>  so, meanwhile, we'll use this "hole" in RPZ as an incentive to get
>> more dnssec signing to happen, even if the signing is by bad people
>> doing bad things with bad domains.
> 
> DNSSEC signing by bad guys (like SPF usage by bad guys) is a win
> for the good guys since it helps identify bad guys.  If bad guy
> keys can be identified, then their keys can be repudiated by the
> good guys. 

Except that bad guys can simply roll their new keys, one for each
domain, the same way they currently do with anything else: it's not like
they need to buy some certificate from a CA, they can do everything by
their own at no cost.

How are you going to identify the bad guy based on something he can
choose and change at any time?

IMHO there's no difference with plain DNS in this respect...




More information about the DNSfirewalls mailing list