On Wed, 13 Mar 2019, Stephen Farrell wrote:
Hmm. Not sure what to make of that. DNSSEC presumably makes it possible to detect interference, and yet RPZ (IIRC) calls for not changing DNSSEC-signed answers. I don't get why an inability to change is ok for the RPZ/DNSSEC context but not for DoH.
no. RPZ allows filtering answers which would turn into BOGUS for DNSSEC validating clients. I am waiting for RPZ to be an RFC to start a bis document that moves the Answer to the Authoritative section, so you can indeed detect the network's desire for protecting you, and use DNSSEC to confirm you are not censored without consent. Paul ps. I owe the ISE a rpz document review, so it is partially my fault this is stuck now. I hope to get enough airplane time in the next two weeks to fix that :) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
