[RPZ] Promoting RPZ: feedback request

Vernon Schryver vjs at rhyolite.com
Fri Jun 28 03:30:44 UTC 2013

> From: "Patrick, Robert (CONTR)" <Robert.Patrick at hq.doe.gov>

> ...waiting on RPZ in BIND to support DNSSEC-signed domains, in that
> operators need an (optional) method to prevent users/customers from
> accessing signed domains that are being used for nefarious purposes.

I don't understand.  Could you restate that?

> I understood the original implementation does not intercept/block/filter
> any domain that is DNSSEC-signed.

Until the optional "recursive-only yes" phrase was added to the
"response-policy{}" statement, RPZ would affect only unsigned responses.
Server operators who want to rewrite DNSSEC signed responses can
now do so by adding "break-dnssec yes;".

Look for the RPZ related occurrences of "break-dnssec" in a current
copy of the BIND Administrators Reference Manual (ARM), such as
or follow links on https://dnsrpz.info/

With "break-dnssec yes;", DNSSEC responses are rewritten but without
RRSIG records because rewrittne responses cannot be signed.  As far
as DNSSEC is concerned, rewritten results are forged abominations.
That fits the main purpose of RPZ, because DNS clients asking for
signed records and getting and discarding unsigned, rewritten records
will not go to the evil web site because they can't get the signed IP
evil address, refuse mail from the spammer because the SMTP envelope
Mail_From domain apparently has no signed records, and so forth.

I don't remember when "response-policy{}" appeared in patches or
in released versions of BIND, but I think it's been more than a year.

I don't have a strong opinion but generally think that "break-dnssec no"
is the right default.  The DNS should deliver only Truth except where
individual users represented by recursive server operators decide to
lie to themselves.  It must not lie about lying (e.g. by signing
rewritten responses, if that were possible, which it isn't).  Users
who find that their recursive server operator lies too much (has too
many or the wrong RPZ records) should change recursive servers.

> If RPZ is going to allow DNSSEC-signed domains to bypass the blocking
> process, manual blocking by the operator is still required, yes?

If that is a question not answered by "use 'break-dnssec yes;'",
could you restate it?

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list