> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa= > nies the ability to selective lie about DNS without the end user knowing it=
Unless DNSSEC is in use, in which case the end user can figure it out, so RPZ doesn't bother lying. (I've wished before that there were some EDNS(0) options that could indicate "this answer has been changed due to local resolver policy" in a response, or "seriously: do not lie to me" in a request, but it's hard to see how there'd be any enforcement or verification mechanism for these, whereas DNSSEC already has all the crypto needed to get the job done.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
