Hi Wes,
I think the changes are moving the document in the right direction.
Some comments:
3.1. Best-practice for zone publishers
I wonder if we can make the requirement even stronger by saying "If
NSEC3 must be used, then an iterations count of 0 MUST be used to
alleviate computational bu
On 25. 11. 21 9:33, Matthijs Mekking wrote:
Hi Wes,
I think the changes are moving the document in the right direction.
Some comments:
3.1. Best-practice for zone publishers
I wonder if we can make the requirement even stronger by saying "If
NSEC3 must be used, then an iterations count of
Hello,
I realize this is tangential, but I believe it's important over the long
term.
Any modification of DNS will break *later* DNSSEC validation. As
filtering seems almost always done by DNS modification (e.g. NXDOMAIN),
and I see significant trends in doing filtering as a service, there's
I have repeatedly asked for RPZ draft publication so we can extend to a new
version of RPZ that moves the censored dnssec answer to the additional section.
This has the advantage that:
1) dnssec validation can still be done by clients that support this on the
withheld answer RR
2) censorship is
Petr Špaček wrote on 2021-11-25 04:00:
On 25. 11. 21 9:33, Matthijs Mekking wrote:
...
3.1. Best-practice for zone publishers
...
This section is IMHO missing a scary warning to explain the reasons. Let
add one couple sentences (+ "extra" keyword to differentiate it from the
implicit si
SERVFAIL is often taken as a signal to try other servers for the
delegation point or some other recursive server. when recursive server
policy has trampled an answer, it is meant to be about the data, not the
server. so SERVFAIL is both operationally and syntactically wrong here.
as an example
On Thu, 25 Nov 2021, Paul Vixie wrote:
in the years since DNS RPZ was made, i've realized that authoritarian network
operators including authoritarian national governments are not well served by
DNS RPZ in its current form. what we (and they) need is a way to include the
original answer and al
Paul Wouters wrote on 2021-11-25 15:36:
On Thu, 25 Nov 2021, Paul Vixie wrote:
...
This is deeply concerning statement, even if you are trying to convince
the authoritarians that they should let the DNS answer slide through
"in their best interest".
any belief that too much effort will at
