On Thu, 25 Nov 2021, Paul Vixie wrote:
in the years since DNS RPZ was made, i've realized that authoritarian network operators including authoritarian national governments are not well served by DNS RPZ in its current form. what we (and they) need is a way to include the original answer and also a server-level signature on the policy-trampled answer. this way we (and they) can watch what the stub does next -- which answer it consumes -- and therefore know whether the policy (or the law) is being abrogated, so as to trigger an enforcement action.
This is deeply concerning statement, even if you are trying to convince the authoritarians that they should let the DNS answer slide through "in their best interest". In fact, a much better answer here would be to develop a DNS protocol that would prevent those kind of authoritarian network operators to get any visiblity at all in what their citizens are doing. Luckily, there is a good protocol for that, DoH. I hope it sees widespread use over too many hostnames to track and block.
probably this just means packing the original answer and the policy signature into EDNS in some way. but the response itself will have to have the policy-trampled answer and rcode (likely NXDOMAIN but not always.)
This has a similar effect as moving the RRs from Answer to Authority section, and sure has a little better signaling support although if this is not coming directly from the application, they might not see the EDNS option either. So sadly this would be a reason to move DNS into applications, something which I wish we could stop doing. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
