> From: "Patrick, Robert (CONTR)" <[email protected]>
> We need an option like this `break-dnssec` feature to use RPZ for
> stopping user access to DNSSEC-signed domains that are on a block list.
How should it differ from the "break-dnssec yes/no" modifier for the
response-policy{} statement mentioned in the ARM for BIND 9.9 and 9.8?
Look for "break-dnssec" in
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html
or
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html
There is a single break-dnssec bit for each view. It seems likely
that those who want to break DNSSEC with RPZ want to do it for the
entire view. In addition, the rules precedence rules (and code) for
choosing which polizy zone to apply are already too complicated without
a separate break-dnssec bit for each policy zone.
Vernon Schryver [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
