[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-00.txt
Vernon Schryver
vjs at rhyolite.com
Wed Oct 12 21:18:19 UTC 2016
> To: dnsfirewalls at lists.redbarn.org
> From: Anne Bennett <anne at encs.concordia.ca>
> Just more very minor nits:
thanks!
I think they are not merely minor.
> "... ignore DNSSEC. The result of "BREAK-DNSSEC" at DNS
> clients using DNSSEC is functionally similar to an RPZ
> NXDOMAIN policy action;"
>
> I'm not at all sure I understand the above sentence
> correctly, but if I do, then I suggest:
>
> "... ignore DNSSEC for RPZ-modified queries even if otherwise
> configured to use DNSSEC; thus, the result of such a configuration
> is functionally similar to an RPZ NXDOMAIN policy action:"
>
> ... and if I don't understand correctly, perhaps some other
> clarification would be in order?
The idea is that any changes by anything including RPZ break DNSSEC
verification. Connecting to web page using an A RRset that has DNSSEC
records but that has been modified by RPZ seems likely to result in
the browser showing something like
"could not resolve www.example.com; try again?"
Do you have a suggestion a better way to say that?
> The HTML-ized version incorrectly (I think) further indents
> lines starting with "; do not rewrite OK.DOMAIN.COM (so, PASSTHRU)".
Unless there is something I could do in the XML source,
I think that's an issue for maintainers of xml2rfc.
thanks again,
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list