[RPZ] Answering my own RPZ question

SM sm at resistor.net
Fri Jan 6 15:17:22 UTC 2012

Hi Jeff,
At 03:28 06-01-2012, Jeff Chan wrote:
>DNSSEC signing by bad guys (like SPF usage by bad guys) is a win
>for the good guys since it helps identify bad guys.  If bad guy
>keys can be identified, then their keys can be repudiated by the
>good guys.

I beg to differ.  Assuming that isc.org is the bad guy, it is 
currently technically possible to drop that domain.  It is possible 
to do that on a large scale if there are sufficient subscribers to a 
DROP feed.  I doubt that many people would care for the really bad 
guys.  It might be contentious for the bad guys (some of the content 
from isc.org) is of value.  There are the good guys which are used as 
a channel by the bad guys.  The cost of dropping them is high.


More information about the DNSfirewalls mailing list