Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Vernon Schryver <> Wed, 21 December 2016 18:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 164621298BA for <>; Wed, 21 Dec 2016 10:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jCIaDI0otjjB for <>; Wed, 21 Dec 2016 10:29:37 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AB1CE127ABE for <>; Wed, 21 Dec 2016 10:29:37 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id uBLITJA9085693 ( version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <> env-from <>; Wed, 21 Dec 2016 18:29:19 GMT
Received: (from vjs@localhost) by (8.15.2/8.15.2/Submit) id uBLITI5B085692 for; Wed, 21 Dec 2016 18:29:18 GMT
Date: Wed, 21 Dec 2016 18:29:18 +0000
From: Vernon Schryver <>
Message-Id: <>
In-Reply-To: <>
X-DCC-Rhyolite-Metrics:; whitelist
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Dec 2016 18:29:39 -0000

> From: Ted Lemon <>

> It would be _nice_ if the browser, for example, could get some
> kind of positive, signed assertion that some authority has claimed
> that the domain in question is malicious (or whatever). 

As I wrote on Monday, the final paragraph of section 6 on page 18 of

  If a policy rule matches and results in a modified answer, then that
  modified answer will include in its additional section the SOA RR of
  the policy zone whose rule was used to generate the modified answer.
  This SOA RR includes the name of the DNS RPZ and the serial number of
  the policy data which was connected to the DNS control plane when the
  answer was modified.

It's not signed, but perhaps it could be with look-asside trust anchors,
although an ever growing forest of DLVs doesn't sound good to me.

Browsers and other interested applications would have to do more than
gethostbyname() or a modern equivalent to see those SOAs.  But if
browsers ever do any DANE, they'll need to do more than gethostbyname().

(perhaps that "will include" should be "MUST include")

Vernon Schryver