[RPZ] Promoting RPZ: feedback request

Vernon Schryver vjs at rhyolite.com
Fri Jun 28 17:39:42 UTC 2013

> From: Fred Morris <m3047 at m3047.net>

> > who find that their recursive server operator lies too much (has too
> > many or the wrong RPZ records) should change recursive servers.
> Or run their own. ;-)

yes, but only given the perseverance and interest in technical mumbo
jumbo required to avoid an open (and so abusive) recursive server
and to monitor, maintain, and update the daemon.

> BIND really doesn't lie, it tells you exactly what's going on, just look
> at the SOA in the Authority section:

I agree with critics of RPZ who complain that the results of response
policy rewrites are DNS lies.  I think they are open and above board
lies, because of that SOA.  I also think that when used properly, RPZ
DNS lies are less harmful than the corresponding DNS truths.  However,
they are willful and knowing attempts to cause DNS clients to "believe"
something "known" by the DNS server to be wrong.  According to my rule
book, that's a lie.

It is important to avoid euphemisms for DNS lies given the ugly history
of DNS lies with base or evil motives and bad effects for users
(e.g. NXDOMAIN squatting and man-in-the-middle security attacks).

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list