On Fri, Dec 16, 2016 at 01:53:52PM -0800, internet-dra...@ietf.org wrote: > Abstract: > This document describes a method for expressing DNS response policy > inside a specially constructed DNS zone, and for recursive name > servers to use such policy to return modified results to DNS clients. > The modified DNS results can stop access to selected HTTP servers, > redirect users to "walled gardens", block objectionable email, and > otherwise defend against attack. These "DNS Firewalls" are widely > used in fighting Internet crime and abuse.
This doesn't magically make it possible for this DNS firewall to forge DNSSEC-signed data, so if a validating end-system is going to have its behavior modified, it would need to opt in. (Whatever that means if it's legally required to participate.) But it looks like the contents of this zone are intended to be kept secret from end-users. The option to use other recursive resolvers provided in 12.1 ignores that access to them could be blocked. I could imagine a world in which the response to this draft is to accelerate DNSSEC deployment [maybe optimistic]. That would highlight where this is being used, since only affected domains would have their lookups broken. The natural counter to that would be to deliberately break DNSSEC everywhere to blind end-users to where they're being lied to. So this, if implemented, is ultimately a DNSSEC-killer. -- Scott Schmit
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
