I wrote:

> https://tools.ietf.org/html/draft-vixie-dns-rpz-04

>   If a policy rule matches and results in a modified answer, then that
>   modified answer will include in its additional section the SOA RR of

> It's not signed, but perhaps it could be with look-asside trust anchors,
> although an ever growing forest of DLVs doesn't sound good to me.

On second thought, maybe a future version of RPZ could say that
those SOAs "MAY" be accompanied by RRSIGs signing them as if they
had owner names equal to their MNAME domain names, and so using the
signature chain for those domain names.  One might hope that the
resolver applying the RPZ rule would receive a suitable RRSIG with
the rest of the policy zone.

But only in a future version of RPZ, and only a "MAY" or a "SHOULD",
and quite possibly not at all.


Vernon Schryver    v...@rhyolite.com

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to