[dns-operations] Can you force your IPv4/v6 DNS server to return v4 responses only on recursive lookups

Vernon Schryver vjs at rhyolite.com
Wed Jan 16 03:14:44 UTC 2013


> From: "Patrick, Robert (CONTR)" <Robert.Patrick at hq.doe.gov>

> We need an option like this `break-dnssec` feature to use RPZ for
> stopping user access to DNSSEC-signed domains that are on a block list.

How should it differ from the "break-dnssec yes/no" modifier for the
response-policy{} statement mentioned in the ARM for BIND 9.9 and 9.8?

Look for "break-dnssec" in
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html
or
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html

There is a single break-dnssec bit for each view.  It seems likely
that those who want to break DNSSEC with RPZ want to do it for the
entire view.  In addition, the rules precedence rules (and code) for
choosing which polizy zone to apply are already too complicated without
a separate break-dnssec bit for each policy zone.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list