On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote:
> RPZ is not the ideal, but it works, and goes beyond being deployable–it is
> deployed.
I am curious to understand how RPZ zone transfers are (intended to
be) secured. It sounds like the reason for standardizing RPZ is
to allow interoperable sharing of policies via replication of zone
data, and so an appropriate security mechanism would seem to be
desirable here to authenticate the transfer of data from the RPZ
master zone. Is there a related specification for that?
As a (long-ago) emigre from the then Soviet Union, I am loathe to
see the IETF standardizing scalable censorship mechanisms, however
well intentioned. Let's hope that skepticism of such "progress"
can evolve without the personal experience of having lived under
a totalitarian regime.
Once the infrastructure that RPZ makes possible is deployed at
scale, it will surely become increasingly difficult to bypass.
This proposal is a major step towards building the Great Firewall
of <your CountryName>, and should I believe be resisted.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
