> Hugo Maxwell Connery <mailto:h...@env.dtu.dk> > Sunday, January 25, 2015 5:32 AM > Hi, > > Below I show a trivial amount of work for compliance with > draft-grothoff-iesg-special-use-p2p-names by caching > recursive resolvers which have implemented Response > Policy Zones (i.e BIND and numerous others).
sadly, i remain unaware of any non-BIND implementation of RPZ. if there are any, please tell us, so that we can update the <https://dnsrpz.info/> web site. > ... > I have been working with Response Policy Zones for several > years now, and consider it an essential part of our network > defence, preventing access to purely nasty domains, and > serving as a anti-phishing defence. > > Here it is efficiently serving an entirely different purpose. we also used RPZ in the response to "DNS Changer" (see http://www.circleid.com/posts/20120327_dns_changer/), so, it's safe to say that RPZ is now a real tool -- because it's been used used and/or abused in ways its designers never contemplated. i have two questions. first, why would you want to pre-distribute a "master" zone file containing these DNS cutouts, rather than operating an AXFR server and inviting interested parties to "slave" the RPZ from you in case the set of cutouts is changed some time in the future (adds, deletes, renames?) second: > ; > ; Psuedo-TLDs as per draft-grothoff-iesg-special-use-p2p-names > ; > ; Torproject > onion IN CNAME . > *.onion IN CNAME . > exit IN CNAME . > *.exit IN CNAME . > ; GNUnet > gnu IN CNAME . > *.gnu IN CNAME . > zkey IN CNAME . > *.zkey IN CNAME . > ; Namecoin > bit IN CNAME . > *.bit IN CNAME . > ; I2P > i2p IN CNAME . > *.i2p IN CNAME . it appears here that your concern is to resolve any future collision between an ICANN gTLD and a "p2p" gTLD, in favour of the "p2p" gTLD, and that you'd like to enforce this by having those queries never arrive at any IANA root name server in the first place. (because, today, those queries would all be answered with NXDOMAIN). my question is: why do this, rather than passing a law ("adopting an RFC") that reserves these names within the IANA system, such that the NXDOMAIN source can reliably be the IANA root name servers? thanks again for your kind words about RPZ. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
