On Mon, 9 Jan 2017, Barry Raveendran Greene wrote:
On Jan 8, 2017, at 6:54 AM, Scott Schmit <i.g...@comcast.net> wrote:
Eventually, if DNSSEC verification on endpoints becomes widespread,
operators will need to turn to other means or break DNSSEC in these
cases (but redirection will stop working).
Bad guys are not going to take the time to use DNSSEC to build a path that can
be followed to their place of operations.
It is actually the other way around. If an end-node performs DNSSEC
validation, it can only see RPZ modified answers as an attack. It is
in the interest of RPZ to give such clients the confidence that the RPZ
produced answer is not an attack but a handbreak action in the user's
interest.
I won't re-iterate my previous suggestion on how this could be done. See
the archive.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
