Selective resolution in a corporate environment

Evan Hunt each at isc.org
Tue Feb 5 19:07:11 UTC 2013


> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
> nies the ability to selective lie about DNS without the end user knowing it=

Unless DNSSEC is in use, in which case the end user can figure it out,
so RPZ doesn't bother lying.

(I've wished before that there were some EDNS(0) options that could
indicate "this answer has been changed due to local resolver policy" in a
response, or "seriously: do not lie to me" in a request, but it's hard to
see how there'd be any enforcement or verification mechanism for these,
whereas DNSSEC already has all the crypto needed to get the job done.)

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list