[RPZ] Answering my own RPZ question

Paul Vixie vixie at isc.org
Fri Jan 6 18:34:10 UTC 2012

On 1/6/2012 6:07 PM, Bill Owens wrote:
> FWIW I agree completely, and am very happy to see that statement. But I don't think everyone will agree, and in fact I have a suspicion that what you're describing will be the direction OpenDNS goes. They have solidly established their dislike of DNSSEC but have said that they'll support it when it is established within the DNS community. I've always doubted that commitment because they face the same problem; if their users started to try to validate answers, the OpenDNS policy filtering would break down. 

i think opendns's position is more subtle than you're describing. here's
what i wrote about this the other day:

On 1/5/2012 7:20 PM, Paul Vixie wrote:
> ... we'll fix this some day, probably by adding a new EDNS option to
> allow a stub to signal its desire for policy information, and the
> recursive would return the truth, the dnssec metadata that validates
> the truth, and a signed indication of what the policy based answer
> would be. this will require SIG(0) signalling since servers do not
> otherwise have signing keys. and it's a long term project that will
> have to involve IETF. ...

this is work that opendns and google should be sponsoring and
participating in, since it will allow them to offer value added services
to known subscribers.


More information about the DNSfirewalls mailing list