Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Vernon Schryver <> Wed, 21 December 2016 19:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2488D1298C7 for <>; Wed, 21 Dec 2016 11:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BIU1XaMJ9JQN for <>; Wed, 21 Dec 2016 11:14:06 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B9101298C6 for <>; Wed, 21 Dec 2016 11:14:06 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id uBLJDoDl019758 ( version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <> env-from <>; Wed, 21 Dec 2016 19:13:50 GMT
Received: (from vjs@localhost) by (8.15.2/8.15.2/Submit) id uBLJDoYp019757 for; Wed, 21 Dec 2016 19:13:50 GMT
Date: Wed, 21 Dec 2016 19:13:50 +0000
From: Vernon Schryver <>
Message-Id: <>
X-DCC-Rhyolite-Metrics:; whitelist
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Dec 2016 19:14:08 -0000

I wrote:


>   If a policy rule matches and results in a modified answer, then that
>   modified answer will include in its additional section the SOA RR of

> It's not signed, but perhaps it could be with look-asside trust anchors,
> although an ever growing forest of DLVs doesn't sound good to me.

On second thought, maybe a future version of RPZ could say that
those SOAs "MAY" be accompanied by RRSIGs signing them as if they
had owner names equal to their MNAME domain names, and so using the
signature chain for those domain names.  One might hope that the
resolver applying the RPZ rule would receive a suitable RRSIG with
the rest of the policy zone.

But only in a future version of RPZ, and only a "MAY" or a "SHOULD",
and quite possibly not at all.

Vernon Schryver