[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-00.txt
Ray Bellis
ray at isc.org
Wed Oct 12 11:05:50 UTC 2016
On 11/10/2016 19:54, Paul Vixie wrote:
> vernon and i would appreciate feedback from close reading by operators
> and implementers of rpz-as-it-exists-today. either here, or on the ietf
> DNS related mailing list shown below.
As previously discussed off-list, we think there's a use case for
providing pass-thru / override on a per-RR basis.
At the moment if there's a record for a particular RRtype in RPZ then
this overrides the real answer, but you then get NODATA for the RRtypes
that don't exist in the RPZ zone.
Whilst this could potentially be achieved by having the DNS server
support falling-through to a second RPZ zone if the first RPZ lookup
results in a NODATA response, we'd rather see a standardised RR-based
method to achieve this within a singe RPZ.
Ray
More information about the DNSfirewalls
mailing list