On Thu, Jan 21, 2021 at 09:10:25PM -0500, Tom Pusateri wrote: > > > On Jan 21, 2021, at 8:59 PM, Paul Vixie <p...@redbarn.org> wrote: > > > > (new behaviour should require new signalling. let networks who want to > > permit DNS bypass either by "use 8.8.8.8" or "use DoH" or otherwise, > > signal this by adding a new canary domain, or a new DHCP option. > > absent new signalling, behaviour should not change.) > > Would it be ok to allow DNSSEC signed responses from any server? If they???re > signed and verified, does it matter how you got them?
no. if my dns firewall is whiting out a DGA botnet's C&C, or any answer having an IP from a known-malicious ISP, or served by a known-bad name server name (or IP)... then i want them whited out, period, for all end systems on my network. DNS is part of my control plane and i'm not going to negotiate with app or device makers as to why that's so or what i mean. see also parental controls, corporate compliance controls, university compliance controls, or any of the other use cases to be found here: https://dnsrpz.info/ -- Paul Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
