Lanlan Pan wrote:
(Without commenting about SWILD) Is your RPZ a mixture ?
no.
Doesn't RPZ rewrite DNS answer, break DNSSEC validation ?
the I-D advises against this. some implementations offer a switch to rewrite DNSSEC-signed results. i don't use this myself, and i recommend against its use. my reasoning is that if the initiator indicates a desire for dnssec meta data, and there is in fact dns metadata, then any lie will be transparently obvious, and you should not in that case tell that lie.
some time before bad people get around to using dnssec to bypass rpz, the spec will have to evolve to allow new signalling ("i want to hear both the truth and the lie, and please sign the lie with our shared key so i'll know it's from you"). i figure we have a few years to get it done. it's one of the first things this WG will take up if an RFC is published on the current protocol, at which point vernon and i have agreed to surrender change control.
thank you for giving me this platform to explain the dnssec dilemma faced by rpz, along with my position, and my expectations. RPZ is not meant to be a censorship tool and will not, and should not, work as one. DNS filtering must be seen as a value-add by its user community or else it should be, and will in fact be, nonfunctional.
Should we give up , or we shouldn't ?
see #1, #4, especially #7, and #12 from <http://katsudon.net/?p=4746>. your lacks of respect and of professionalism is noted. -- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
