[RPZ] Answering my own RPZ question
SM
sm at resistor.net
Fri Jan 6 15:17:22 UTC 2012
Hi Jeff,
At 03:28 06-01-2012, Jeff Chan wrote:
>DNSSEC signing by bad guys (like SPF usage by bad guys) is a win
>for the good guys since it helps identify bad guys. If bad guy
>keys can be identified, then their keys can be repudiated by the
>good guys.
I beg to differ. Assuming that isc.org is the bad guy, it is
currently technically possible to drop that domain. It is possible
to do that on a large scale if there are sufficient subscribers to a
DROP feed. I doubt that many people would care for the really bad
guys. It might be contentious for the bad guys (some of the content
from isc.org) is of value. There are the good guys which are used as
a channel by the bad guys. The cost of dropping them is high.
Regards,
-sm
More information about the DNSfirewalls
mailing list