nanog mailing list archives
RE: DNSSEC and ISPs faking DNS responses
From: Tony Finch <dot () dotat at>
Date: Mon, 16 Nov 2015 11:14:42 +0000
eric-list () truenet com <eric-list () truenet com> wrote:
Actually, how are other places implementing these lists? I would have thought to use RPZ, but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work.
You can configure RPZ with the "break-dnssec" option which means validating clients will fail to resolve the blocked domains. DNSSEC only protects you from getting bad answers. If someone wants you to get no answers at all then DNSSEC cannot help. Tony. -- f.anthony.n.finch <dot () dotat at> http://dotat.at/ Tyne, Dogger, Fisher: Southwest 6 to gale 8, occasionally severe gale 9 at first. Rough or very rough, becoming mainly moderate in Tyne. Rain or showers. Good, occasionally poor.
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Baldur Norddahl (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Alejandro Acosta (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John R. Levine (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses eric-list (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)