[DNSfirewalls] Fwd: New Version Notification for
vjs at rhyolite.com
Sun Nov 6 16:37:10 UTC 2016
> From: Eric Ziegast <ziegast at fsi.io>
> To: dnsfirewalls at lists.redbarn.org
I apologize for not responding to Eric's message before now.
> 1. Precedence.... Y'all say:
The Precedence Rules are in their own section in the -02 version
of the draft (which is at temporarily at
until the I-D submission tool reopens after the IETF meeting.)
There is more text about the "Name Length" rule, and wildcards are
now explicitly mentioned. Your comments on it would be welcome.
> Eg: I might want to pass-through TCL.TK and *.TCL.TK,
> but still point *.TK through a walled garden.
These do that:
tcl.tk cname rpz-passthru.
*.tcl.tk cname rpz-passthru.
*.tk cname walled.example.com.
> 2. I don't understand what "qname-wait-recurse" in the
> Security Considerations section is. Is that a specific
> option/implementation in BIND? Does that sentence need
> need rephrasing?
Please consider the new paragraph in Section 5 of the -02 draft
> 3. Forwarders.... Y'all state:
> RPZ merely formalizes and facilitates modifying DNS data on
> its way from DNS authority servers to clients.
> I think this might need some elaboration. In it's simplest
Is the addtional text about RD=0/1 in Section 5 of the -02 draft enough?
It doesn't mention forwarders avoid needing to define that class
of DNS servers. Do forwarders set RD=1? I assume so, but that seems
like something beyond the scope of an RPZ RFC.
> 4. DNSSEC vs RPZ.... I see:
Are the additional words in Section 5 and Section 10 good enough?
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls