tag:blogger.com,1999:blog-2054406559663992319.post1086442376967464678..comments2020-06-02T04:22:45.302-07:00Comments on Bill's Assorted Ramblings: DNS makes for strange bedfellowsBill Owenshttp://www.blogger.com/profile/17039311028005676110noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2054406559663992319.post-79792424002364158512011-11-15T04:37:17.536-08:002011-11-15T04:37:17.536-08:00Sorry for the late response - I'm obviously no...Sorry for the late response - I'm obviously not doing a very good job keeping up with this blog ;) I agree that tools aren't inherently bad or good, and certainly RPZ seems to have been implemented in a thoughtful fashion. Much more so than the mandates in PROTECT-IP.<br /><br />I wonder, though, whether you'll eventually be asked to install a switch for RPZ's DNSSEC behavior. I haven't had time to test this theory yet, but I expect that a query with DO=1 and any answer with an RRSIG will need to bypass RPZ - even if there's no chain of trust to the signature. Otherwise a DNSSEC-capable client behind an RPZ resolver would be unable to have its own trust anchors. In a possible future where many DNS clients are attempting their own DNSSEC validation, all a malefactor would need is an isolated signed zone to avoid RPZ enforcement. Since I've already heard some evidence of spammers signing their emails with DKIM in order to try to avoid naive filters, a signed zone to avoid RPZ seems like a small step.<br /><br />It seem as though that's a natural outcome of DNSSEC deployment - nobody is allowed to lie about the DNS, regardless of their good intentions. Is there a way around that, one that doesn't harm DNSSEC?Bill Owenshttps://www.blogger.com/profile/08049211051802893173noreply@blogger.comtag:blogger.com,1999:blog-2054406559663992319.post-87001862929432501152011-11-02T10:25:38.703-07:002011-11-02T10:25:38.703-07:00Bill, great article! Two important reasons why RPZ...Bill, great article! Two important reasons why RPZ could not be used to implement PROTECT-IP are: (1) RPZ stands aside whenever it sees a DNSSEC-aware client trying to access DNSSEC-signed data; and (2) the use of a filtering name server is voluntary -- any user who does not want the filtering will just pick a different name server. As to your question, voluntary filtering is never evil, whereas mandated filtering certainly can be evil.<br /><br />More online at http://www.circleid.com/posts/20110723_alignment_of_interests_in_dns_blocking/Paul Vixiehttps://www.blogger.com/profile/04707262812951666139noreply@blogger.com