Paul Wouters wrote on 2021-11-25 15:36:
On Thu, 25 Nov 2021, Paul Vixie wrote:
...
This is deeply concerning statement, even if you are trying to convince
the authoritarians that they should let the DNS answer slide through
"in their best interest".
any belief that too much effort will at
On Thu, 25 Nov 2021, Paul Vixie wrote:
in the years since DNS RPZ was made, i've realized that authoritarian network
operators including authoritarian national governments are not well served by
DNS RPZ in its current form. what we (and they) need is a way to include the
original answer and al
SERVFAIL is often taken as a signal to try other servers for the
delegation point or some other recursive server. when recursive server
policy has trampled an answer, it is meant to be about the data, not the
server. so SERVFAIL is both operationally and syntactically wrong here.
as an example
I have repeatedly asked for RPZ draft publication so we can extend to a new
version of RPZ that moves the censored dnssec answer to the additional section.
This has the advantage that:
1) dnssec validation can still be done by clients that support this on the
withheld answer RR
2) censorship is
Hello,
I realize this is tangential, but I believe it's important over the long
term.
Any modification of DNS will break *later* DNSSEC validation. As
filtering seems almost always done by DNS modification (e.g. NXDOMAIN),
and I see significant trends in doing filtering as a service, there's
