Scott Schmit <i.g...@comcast.net> wrote: >
> This doesn't magically make it possible for this DNS firewall to forge > DNSSEC-signed data, so if a validating end-system is going to have its > behavior modified, it would need to opt in. That's not entirely true. An RPZ setup can lie regardless of whether a client appears to be validating or not. If the admin's goal is to block access to malicious sites, then a validating client will get a bogus result or SERVFAIL, and the site will be blocked as intended. > But it looks like the contents of this zone are intended to be kept > secret from end-users. That depends entirely on the zone maintainer's policy. The admin can easily allow clients to query or transfer an RPZ, and/or provide out of band information about the zone on its web site. > So this, if implemented, is ultimately a DNSSEC-killer. I don't think so. DNSSEC is not able to improve the availability of the DNS. The point of DNSSEC is to ensure that if you get an answer, you can be sure it is authentic. If your local network wants to prevent you from accessing a malicious site, DNSSEC can't stop them. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop