Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND
9.18.2 ARM that there is a boolean option for RPZ zones called:
break-dnssec.
The ARM states:
...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact that results
rewritten by RPZ actions cannot verify.
In my particular scenario, I want to use RPZ to give NXDOMAIN results
for certain domain names that I don't want accessible. So for normal
queries without DNSSEC validation requested and for queries with DNSSEC
validation requested for a domain name I am _not_ blocking, I want the
lookups to work (ie: don't validate when validation not requested,
validate when validation requested).
When a client attempts to lookup a domain name that _is_ blocked by RPZ,
I want the domain name blocked ... whether or not they requested DNSSEC
validation.
Am I correct that: break-dnssec yes comes into play only if a client
attempts to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ?
So for instance...
1. Client requests no validation for example.com which is not in RPZ and
gets normal result.
2. Client requests validation for example.com which is not in RPZ and
gets validated result.
3. Client requests no validation for evil.com which is in RPZ and gets
NXDOMAIN result.
4. Client requests validation for evil.com which is in RPZ and gets
NXDOMAIN result with broken DNSSEC validation due to rewrite.
This would mean that: break-dnssec yes:
...only breaks DNSSEC validation for evil.com because it is re-written
...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use
DNSSEC (ie: ietf.org).
Is that correct ?
Thanks,
- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
