[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-00.txt

Vernon Schryver vjs at rhyolite.com
Wed Oct 12 21:18:19 UTC 2016

> To: dnsfirewalls at lists.redbarn.org
> From: Anne Bennett <anne at encs.concordia.ca>

> Just more very minor nits:

I think they are not merely minor.

>   "... ignore DNSSEC.  The result of "BREAK-DNSSEC" at DNS
>   clients using DNSSEC is functionally similar to an RPZ
>   NXDOMAIN policy action;"
>     I'm not at all sure I understand the above sentence
>     correctly, but if I do, then I suggest:
>   "... ignore DNSSEC for RPZ-modified queries even if otherwise
>   configured to use DNSSEC; thus, the result of such a configuration
>   is functionally similar to an RPZ NXDOMAIN policy action:"
>     ... and if I don't understand correctly, perhaps some other
>     clarification would be in order?

The idea is that any changes by anything including RPZ break DNSSEC
verification.  Connecting to web page using an A RRset that has DNSSEC
records but that has been modified by RPZ seems likely to result in
the browser showing something like
"could not resolve www.example.com; try again?"

Do you have a suggestion a better way to say that?

>   The HTML-ized version incorrectly (I think) further indents
>   lines starting with "; do not rewrite OK.DOMAIN.COM (so, PASSTHRU)".

Unless there is something I could do in the XML source,
I think that's an issue for maintainers of xml2rfc.

thanks again,
Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list