[DNSfirewalls] rpz firewall + whitelisting

[Vernon Schryver]

> From: Paul Vixie <paul at redbarn.org>

> ...
> we could institute a change whereby a match on an empty nonterminal name has 
> the same effect (search for a wildcard; consider moving on to the next policy 
> zone) as a nonexistent name would have. ...

> i think the BIND9 native, and the FastRPZ, implementations of the RPZ spec 
> could easily be changed to log warnings about empty non-terminals.

I disagree strongly about "easily".   The current BIND9 native RPZ
code uses the main BIND9 database lookup code.  Doing anything
different just for the RPZ database lookups would not be easy.

Changing FastRPZ to optionally do non-DNS-style lookups could be
done for definitions of "easily" that some might find surprising,
but how would you maintain protocol compatibility?  A zone from a
publisher would interpreted by the old non-terminal rules at some
of the publisher's customers and by the new, optional (signalled
how?) rules at other customers.  As a result, RPZ actions would
differ depending on the site.


>                                                        ... an RPZ generator 
> would iteratively generate a "trigger action" rule for an owner name and 
> label-strip. ...

A generator sounds more tractable.


Have the "Per-Zone Action Overrides" in section 6.1 of
https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-rpz-00.txt
been considered?
Could you put the few explicit records in one policy zone
and whatever should be done for the empty non-terminals in
a second zone but with a per-zone override?
Or with a single covering wildcard?


Vernon Schryver    vjs at rhyolite.com