Scott Schmit <i.g...@comcast.net> wrote:

>

> This doesn't magically make it possible for this DNS firewall to forge
> DNSSEC-signed data, so if a validating end-system is going to have its
> behavior modified, it would need to opt in.  



That's not entirely true. An RPZ setup can lie regardless of whether a
client appears to be validating or not. If the admin's goal is to block
access to malicious sites, then a validating client will get a bogus
result or SERVFAIL, and the site will be blocked as intended.


> But it looks like the contents of this zone are intended to be kept

> secret from end-users. 



That depends entirely on the zone maintainer's policy. The admin can
easily allow clients to query or transfer an RPZ, and/or provide out of
band information about the zone on its web site.


> So this, if implemented, is ultimately a DNSSEC-killer.



I don't think so.



DNSSEC is not able to improve the availability of the DNS. The point of
DNSSEC is to ensure that if you get an answer, you can be sure it is
authentic. If your local network wants to prevent you from accessing a
malicious site, DNSSEC can't stop them.


Tony.

--

f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--
  zr8h punycode



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to