break-dnssec is about if the client could detect the re-write or not using
DNSSEC. If the client has DO=1 in the request and the normal response is
signed then rewrites can be detected. If break-dnssec is ’no’ the rewrite will
be prevented. If break-dnssec is ‘yes’ then the rewrite will occur.
the world <-> recursive server rpz w/ break-dnssec no <-> recursive server rpz
w/ break-dnssec no or yes;
| |
non dnssec client non dnssec
client
You don’t want the second recursive server to spend all its time re-asking
queries that will fail validation
> On 29 Apr 2022, at 11:24, J Doe <[email protected]> wrote:
>
> Hi,
>
> I am configuring an RPZ for a validating resolver. I read in the BIND 9.18.2
> ARM that there is a boolean option for RPZ zones called: break-dnssec.
>
> The ARM states:
>
> ...In that case, RPZ actions are applied regardless of DNSSEC.
> The name of the clause option reflects the fact that results
> rewritten by RPZ actions cannot verify.
>
> In my particular scenario, I want to use RPZ to give NXDOMAIN results for
> certain domain names that I don't want accessible. So for normal queries
> without DNSSEC validation requested and for queries with DNSSEC validation
> requested for a domain name I am _not_ blocking, I want the lookups to work
> (ie: don't validate when validation not requested, validate when validation
> requested).
>
> When a client attempts to lookup a domain name that _is_ blocked by RPZ, I
> want the domain name blocked ... whether or not they requested DNSSEC
> validation.
>
> Am I correct that: break-dnssec yes comes into play only if a client attempts
> to resolve a DNSSEC secured domain name I _am_ blocking in RPZ ?
>
> So for instance...
>
> 1. Client requests no validation for example.com which is not in RPZ and gets
> normal result.
>
> 2. Client requests validation for example.com which is not in RPZ and gets
> validated result.
>
> 3. Client requests no validation for evil.com which is in RPZ and gets
> NXDOMAIN result.
>
> 4. Client requests validation for evil.com which is in RPZ and gets NXDOMAIN
> result with broken DNSSEC validation due to rewrite.
>
> This would mean that: break-dnssec yes:
>
> ...only breaks DNSSEC validation for evil.com because it is re-written
> ...does NOT break DNSSEC validation for sites _NOT_ in RPZ that use DNSSEC
> (ie: ietf.org).
>
> Is that correct ?
>
> Thanks,
>
> - J
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
