Hiya, On 13/03/2019 01:04, Paul Wouters wrote: > RPZ allows filtering answers which would turn into BOGUS for > DNSSEC validating clients.
Could well be my terminology was imprecise. What I recalled from some discussion a year or more ago was that RPZ MUST NOT change a DNSSEC-signed answer that verifies. If that's wrong or no longer the case then my point there is off base. (I'll go back and find another tomorrow:-) If I'm correct, then I remain puzzled as to why Paul V. finds it acceptable to be unable to "interfere" with DNS answers in one case (RPZ-with-good-DNSSEC) but not the other (DoH). Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
