> From: Shawn Bakhtiar <shashan...@hotmail.com> (about RPZ)
> IMHO (and I am really nobody) THIS IS WRONG! BAD BAD BAD! Your giving compa= > nies the ability to selective lie about DNS without the end user knowing it= > . Unfortunately (and I have the heights and greatest respect for Paul) but = > after reading this http://www.isc.org/community/blog/201007/taking-back-dns= > -0 I can only think of one thing. China. China doesn't need and doesn't use the BIND RPZ code to lie about DNS records millions of times per day. There are far better ways to do the sorts of things that the Great Firewall does. Ranting about evil RPZ is like demanding that ships off the Horn of Africa be unarmed because trigger happy guards might blow up innocent fishing vessels. In the real ocean, the serious bad guys had big guns and were using them very profitably until the good guys hired guards and warships and made priracy less attract https://www.nytimes.com/2012/08/29/world/africa/piracy-around-horn-of-africa-has-plunged-us-says.html The easy defense against RPZ is DNSSEC. If you care about DNS security, then your DNS zones have good RRSIG RRs. If your interests in security go beyond ranting about the weapons choices of other people, then you are a running current version of a DNS resolver that verifies DNS data by default and says SERVFAIL instead of repeating lies. You are also doing whatever you can to get TLSA to replace the stupid security theater that is commercial PKI. You at least publish TLSA RRs with the fingerprints of your commercial PKI certs. https://tools.ietf.org/html/rfc6698 https://tools.ietf.org/html/draft-fanf-dane-smtp-04 https://tools.ietf.org/html/draft-hoffman-dane-smime-04 Speaking of BIND RPZ code, new versions that I hope are faster are available with the RRL patches. See the link on http://www.redbarn.org/dns/ratelimits There is also the RPZ mailing list at https://lists.isc.org/mailman/listinfo/dnsrpz-interest Vernon Schryver v...@rhyolite.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
