Signed isn't the same as authentic. Authentic means as the zone owner publishes. We must not lodge in this document a requirement that a DNS server not be protective. Protective means not all answers flow equally.
p vixie On Oct 2, 2024 08:56, Paul Wouters <paul.wouters=40aiven...@dmarc.ietf.org> wrote: [drifting off topic] > On Oct 2, 2024, at 00:10, Paul Vixie <paul=40redbarn....@dmarc.ietf.org> > wrote: > > > > > i would not. much of the world now relies upon inauthentic dns responses for > defense against bad actors. that's a limitation of RPZ. Years ago I proposed to move the Answer to the Authority section so you can filter AND provide the data for dnssec validation. I even proposed to write a bis doc, but the authors/ISE left the rpz doc as a draft, leaving a potential bis doc in limbo. Paul _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
