I wrote: > https://tools.ietf.org/html/draft-vixie-dns-rpz-04
> If a policy rule matches and results in a modified answer, then that > modified answer will include in its additional section the SOA RR of > It's not signed, but perhaps it could be with look-asside trust anchors, > although an ever growing forest of DLVs doesn't sound good to me. On second thought, maybe a future version of RPZ could say that those SOAs "MAY" be accompanied by RRSIGs signing them as if they had owner names equal to their MNAME domain names, and so using the signature chain for those domain names. One might hope that the resolver applying the RPZ rule would receive a suitable RRSIG with the rest of the policy zone. But only in a future version of RPZ, and only a "MAY" or a "SHOULD", and quite possibly not at all. Vernon Schryver v...@rhyolite.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop