Hello,
I will keep my feedback short and to the point. We have implemented RPZ across
our resolvers and it has been a fantastic tool to stop botnet C&Cs and outbound
DDoS attacks. I just wanted to say it has been an extremely valuable tool to
us here at Rackspace and provide some positive feedback since this thread seems
fairly negative.
Nolan Berry
Linux Systems Engineer
DNS Engineering
Rackspace Hosting
________________________________
From: DNSOP <dnsop-boun...@ietf.org> on behalf of Viktor Dukhovni
<ietf-d...@dukhovni.org>
Sent: Wednesday, December 21, 2016 2:01 PM
To: dnsop
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote:
> RPZ is not the ideal, but it works, and goes beyond being deployable-it is
> deployed.
I am curious to understand how RPZ zone transfers are (intended to
be) secured. It sounds like the reason for standardizing RPZ is
to allow interoperable sharing of policies via replication of zone
data, and so an appropriate security mechanism would seem to be
desirable here to authenticate the transfer of data from the RPZ
master zone. Is there a related specification for that?
As a (long-ago) emigre from the then Soviet Union, I am loathe to
see the IETF standardizing scalable censorship mechanisms, however
well intentioned. Let's hope that skepticism of such "progress"
can evolve without the personal experience of having lived under
a totalitarian regime.
Once the infrastructure that RPZ makes possible is deployed at
scale, it will surely become increasingly difficult to bypass.
This proposal is a major step towards building the Great Firewall
of <your CountryName>, and should I believe be resisted.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
