> From: Ted Lemon <mel...@fugue.com> > It would be _nice_ if the browser, for example, could get some > kind of positive, signed assertion that some authority has claimed > that the domain in question is malicious (or whatever).
As I wrote on Monday, the final paragraph of section 6 on page 18 of https://tools.ietf.org/html/draft-vixie-dns-rpz-04 says: If a policy rule matches and results in a modified answer, then that modified answer will include in its additional section the SOA RR of the policy zone whose rule was used to generate the modified answer. This SOA RR includes the name of the DNS RPZ and the serial number of the policy data which was connected to the DNS control plane when the answer was modified. It's not signed, but perhaps it could be with look-asside trust anchors, although an ever growing forest of DLVs doesn't sound good to me. Browsers and other interested applications would have to do more than gethostbyname() or a modern equivalent to see those SOAs. But if browsers ever do any DANE, they'll need to do more than gethostbyname(). (perhaps that "will include" should be "MUST include") Vernon Schryver v...@rhyolite.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
