Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Vernon Schryver <vjs@rhyolite.com> Wed, 21 December 2016 19:14 UTC

Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2488D1298C7 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 11:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Level:
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BIU1XaMJ9JQN for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 11:14:06 -0800 (PST)
Received: from calcite.rhyolite.com (calcite.rhyolite.com [192.188.61.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B9101298C6 for <dnsop@ietf.org>; Wed, 21 Dec 2016 11:14:06 -0800 (PST)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id uBLJDoDl019758 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Wed, 21 Dec 2016 19:13:50 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id uBLJDoYp019757 for dnsop@ietf.org; Wed, 21 Dec 2016 19:13:50 GMT
Date: Wed, 21 Dec 2016 19:13:50 GMT
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201612211913.uBLJDoYp019757@calcite.rhyolite.com>
To: dnsop@ietf.org
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/N1bhirx2k_yGDUai_PJJK6DD-Co>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 19:14:08 -0000

I wrote:

> https://tools.ietf.org/html/draft-vixie-dns-rpz-04

>   If a policy rule matches and results in a modified answer, then that
>   modified answer will include in its additional section the SOA RR of

> It's not signed, but perhaps it could be with look-asside trust anchors,
> although an ever growing forest of DLVs doesn't sound good to me.

On second thought, maybe a future version of RPZ could say that
those SOAs "MAY" be accompanied by RRSIGs signing them as if they
had owner names equal to their MNAME domain names, and so using the
signature chain for those domain names.  One might hope that the
resolver applying the RPZ rule would receive a suitable RRSIG with
the rest of the policy zone.

But only in a future version of RPZ, and only a "MAY" or a "SHOULD",
and quite possibly not at all.


Vernon Schryver    vjs@rhyolite.com