--- Begin Message ---
I think the examples being used in this thread are too narrow. In RPZ a
firewall rule might trigger on something other than the QNAME. For
example the trigger could be one of the NSDNAMEs in the resolution path,
or on the address (A or AAAA) associated with some NSDNAME in the
resolution path, or on the address (A or AAAA) of an answer. The meaning
of "false" in the term "false positive" quickly goes out of scope. What
we have are rules that trigger on nothing, others that trigger on the
wrong thing, some that trigger on the right thing, and some that trigger
on too much.
Also I wish everybody would stop saying "blocking". This isn't always
that. We filter DNS content because it's the gateway to much harm, and
as we learn about harms, we either monitor, or drop, or redirect, or
"block" (if the trigger happens to be on the QNAME in which case we can
replace the real answer with an NXDOMAIN) the DNS paths to those harms.
NXDOMAIN insertion is usually unwise for non-QNAME triggers.
--
P Vixie
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
