[RPZ] Answering my own RPZ question

Bill Owens owens at nysernet.org
Tue Jan 10 18:43:29 UTC 2012

On Fri, Jan 06, 2012 at 06:34:10PM +0000, Paul Vixie wrote:
> i think opendns's position is more subtle than you're describing. here's
> what i wrote about this the other day:
> On 1/5/2012 7:20 PM, Paul Vixie wrote:
> > ... we'll fix this some day, probably by adding a new EDNS option to
> > allow a stub to signal its desire for policy information, and the
> > recursive would return the truth, the dnssec metadata that validates
> > the truth, and a signed indication of what the policy based answer
> > would be. this will require SIG(0) signalling since servers do not
> > otherwise have signing keys. and it's a long term project that will
> > have to involve IETF. ...
> this is work that opendns and google should be sponsoring and
> participating in, since it will allow them to offer value added services
> to known subscribers.

I read that article, and my first reaction to the excerpted paragraph was that it sounded a bit overcomplex. Would it be reasonable for the filtering resolver to default to returning the policy based answer in this situation, without additional signalling? In other words, overload DO=1 to indicate both "I want DNSSEC records" and "I want policy based answers, if any"?

We'd run the risk of confusing queriers that aren't upgraded to understand the presence of filtering, although since the policy based answer will be returned without a signature, I think they'd naturally distrust it. And once the querier is equipped to understand the difference there's still the matter of making sure that the resolver's answer is trusted, presumably with SIG(0) (or DNSCrypt ;) but that's already something that is described in the standards. Or is my ignorance of the internals of query processing causing me to oversimplify something that in fact needs to be complex?


More information about the DNSfirewalls mailing list