[DNSfirewalls] Fwd: New Version Notification for

[Vernon Schryver]

> From: Eric Ziegast <ziegast at fsi.io>
> To: dnsfirewalls at lists.redbarn.org

I apologize for not responding to Eric's message before now.

> 1. Precedence....  Y'all say:
> ...

The Precedence Rules are in their own section in the -02 version
of the draft (which is at temporarily at 
https://www.rhyolite.com/temp/draft-vixie-dns-rpz-02.txt
until the I-D submission tool reopens after the IETF meeting.)

There is more text about the "Name Length" rule, and wildcards are
now explicitly mentioned.  Your comments on it would be welcome.


>    Eg: I might want to pass-through TCL.TK and *.TCL.TK,
>        but still point *.TK through a walled garden.

These do that:

    tcl.tk	cname	rpz-passthru.
    *.tcl.tk	cname	rpz-passthru.
    *.tk	cname	walled.example.com.

 
> 2. I don't understand what "qname-wait-recurse" in the
>    Security Considerations section is.  Is that a specific
>    option/implementation in BIND?  Does that sentence need
>    need rephrasing?

Yes.
Please consider the new paragraph in Section 5 of the  -02 draft


> 3. Forwarders....  Y'all state:
> 
>       RPZ merely formalizes and facilitates modifying DNS data on
>       its way from DNS authority servers to clients.
> 
>    I think this might need some elaboration.  In it's simplest
> ...

Is the addtional text about RD=0/1 in Section 5 of the -02 draft enough?
It doesn't mention forwarders avoid needing to define that class
of DNS servers.  Do forwarders set RD=1?  I assume so, but that seems
like something beyond the scope of an RPZ RFC.


> 4. DNSSEC vs RPZ....  I see:
> ...

Are the additional words in Section 5 and Section 10 good enough?


Vernon Schryver    vjs at rhyolite.com