Selective resolution in a corporate environment
Vernon Schryver
vjs at rhyolite.com
Tue Feb 5 18:54:31 UTC 2013
> From: Shawn Bakhtiar <shashaness at hotmail.com>
(about RPZ)
> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa=
> nies the ability to selective lie about DNS without the end user knowing it=
> . Unfortunately (and I have the heights and greatest respect for Paul) but =
> after reading this http://www.isc.org/community/blog/201007/taking-back-dns=
> -0 I can only think of one thing. China.
China doesn't need and doesn't use the BIND RPZ code to lie about DNS
records millions of times per day. There are far better ways to do
the sorts of things that the Great Firewall does.
Ranting about evil RPZ is like demanding that ships off the Horn of
Africa be unarmed because trigger happy guards might blow up innocent
fishing vessels. In the real ocean, the serious bad guys had big guns
and were using them very profitably until the good guys hired guards
and warships and made priracy less attract
https://www.nytimes.com/2012/08/29/world/africa/piracy-around-horn-of-africa-has-plunged-us-says.html
The easy defense against RPZ is DNSSEC. If you care about DNS security,
then your DNS zones have good RRSIG RRs. If your interests in security
go beyond ranting about the weapons choices of other people, then you
are a running current version of a DNS resolver that verifies DNS data
by default and says SERVFAIL instead of repeating lies. You are also
doing whatever you can to get TLSA to replace the stupid security
theater that is commercial PKI. You at least publish TLSA RRs with
the fingerprints of your commercial PKI certs.
https://tools.ietf.org/html/rfc6698
https://tools.ietf.org/html/draft-fanf-dane-smtp-04
https://tools.ietf.org/html/draft-hoffman-dane-smime-04
Speaking of BIND RPZ code, new versions that I hope are faster are
available with the RRL patches. See the link on
http://www.redbarn.org/dns/ratelimits
There is also the RPZ mailing
list at https://lists.isc.org/mailman/listinfo/dnsrpz-interest
Vernon Schryver vjs at rhyolite.com
More information about the bind-users
mailing list