Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-explicit-forged-answer-signal-00.txt

Wed, 10 Jan 2024 17:45:25 -0800 

i think you mean RPZ here.

Paul Wouters wrote on 2024-01-10 07:01:

On Wed, 10 Jan 2024, Lanlan Pan wrote:
I have submitted a new draft to discuss the faked answer returned from the recursive resolver. 

Your comments are appreciated.


As I've said during the discussions on RBL and an updated version for
RBL, if these things are done "for the user", the best thing is to put
the censored answer in the authority section. This way ignorant clients
keep working with the censor, but knowledgable clients can DNSSEC validate
the censorship using the original answer and optionally present a choice
to the enduser. It also prevents censorship forced against the user's
interest. eg it makes this properly optin (eg compliant with RFC 8890)

There should be no synthesizing of fake records as those cannot pass
DNSSEC validation. One has to assume the querier is DNSSEC enabled,
even if it is a stub. We already have extended error codes for
censorship (see https://www.rfc-editor.org/rfc/rfc8914.html#name-iana-considerations 
error codes 15-18)

Paul


---------- Forwarded message ---------
发件人: <internet-dra...@ietf.org>
Date: 2024年1月10日周三 16:11
Subject: New Version Notification for draft-pan-dnsop-explicit-forged-answer-signal-00.txt 
To: Lanlan Pan <abby...@gmail.com>


A new version of Internet-Draft
draft-pan-dnsop-explicit-forged-answer-signal-00.txt has been successfully 
submitted by Lanlan Pan and posted to the
IETF repository.

Name:     draft-pan-dnsop-explicit-forged-answer-signal
Revision: 00
Title:    Explicit Forged Answer Signal
Date:     2024-01-10
Group:    Individual Submission
Pages:    6
URL: https://www.ietf.org/archive/id/draft-pan-dnsop-explicit-forged-answer-signal-00.txt Status:  https://datatracker.ietf.org/doc/draft-pan-dnsop-explicit-forged-answer-signal/ HTMLized: https://datatracker.ietf.org/doc/html/draft-pan-dnsop-explicit-forged-answer-signal 


Abstract:

   This document describes that recursive resolver should give explict
   signal in the forged answer.

   Client could react more clearly based on the explict forged answer
   signal, to protect user on security and privacy.



The IETF Secretariat






_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



--
P Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to