[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-00.txt
Paul Vixie
paul at redbarn.org
Wed Oct 12 12:38:16 UTC 2016
Ray Bellis wrote:
> On 11/10/2016 19:54, Paul Vixie wrote:
>
>> vernon and i would appreciate feedback from close reading by operators
>> and implementers of rpz-as-it-exists-today. either here, or on the ietf
>> DNS related mailing list shown below.
>
> As previously discussed off-list, we think there's a use case for
> providing pass-thru / override on a per-RR basis.
and i agree, as i did off-list, that this sound useful. however, we'd
like to get the existing spec clean and clear so we have something to
build upon.
>
> At the moment if there's a record for a particular RRtype in RPZ then
> this overrides the real answer, but you then get NODATA for the RRtypes
> that don't exist in the RPZ zone.
>
> Whilst this could potentially be achieved by having the DNS server
> support falling-through to a second RPZ zone if the first RPZ lookup
> results in a NODATA response, we'd rather see a standardised RR-based
> method to achieve this within a singe RPZ.
yes, agreed.
--
P Vixie
More information about the DNSfirewalls
mailing list