Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Tony Finch]

joel jaeggli  wrote:
> On 12/29/16 1:51 PM, william manning wrote:

> > if this work does proceed, i'd like to insist that it carry a
> > disclaimer that it is designed specifically for closed networks and is
> > not to be used in the Internet.
>
> this sounds like an aplicability statement to be included in the
> introduction.

I don't understand what "not to be used in the Internet" means for RPZ.

Part of the point of standardizing it is interoperability between multiple
RPZ resolver implementations and multiple RPZ data providers. The
resolver operator gets the RPZ data via IXFR across the Internet. Is this
bad?

Or maybe "not to be used in the Internet" is something to do with who uses
resolvers with RPZ blocks. Open resolvers are horrible abuse magnets and
should not be available for use by the whole Internet unless their
operators have impressive anti-DDoS skills. But that isn't an RPZ-specific
problem.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Southwest Shannon: Southeasterly 5 to 7. Moderate or rough. Fair. Good.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[william manning]

ok.   here is a draft applicability statement.

This draft is documents a process and method for intercepting DNS queries
and fabricating responses to redirect the querier into a walled garden or
enclave that is NOT part of the open Internet. Adoption and acceptance of
this draft is an acknowledgement that the IETF, the IAB and ISOC reject the
principles espoused at https://open-stand.org/about-us/principles/, in
particular article 3.  Collective Empowerment insofar as the evolution of
the DNS is concerned.

/Wm


On Thu, Dec 29, 2016 at 6:30 PM, joel jaeggli  wrote:

> On 12/29/16 1:51 PM, william manning wrote:
> > "lets standardize this 'cause everyone does it"  sounds like the medical
> > community should have standardized on whiskey & leaches & coat hangers
> > because thats what everyone did.  if this work does proceed, i'd like to
> > insist that it carry a disclaimer that it is designed specifically for
> > closed networks and is not to be used in the Internet.
>
> this sounds like an aplicability statement to be included in the
> introduction.
>
> > Indeed, thedraft is very clear this is for enclaves and not for open
> > Internet use.
> >
> >
> > /Wm
> >
> > On Thu, Dec 29, 2016 at 10:15 AM, Vernon Schryver  > > wrote:
> >
> > > From: Richard Clayton  > >
> >
> > > Everyone involved understands that there isn't at present a turnkey
> > > application that the other 5% (and indeed all the in-house
> corporate
> > > systems) could deploy
> >
> > I do not understand that.
> > If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
> > shell or Windows command prompt on your desktop says anything about
> > BIND, then chances are good that you are already using one of the
> > turnkey applications that in-house corporate systems and others have
> > already deployed and could configure.  Even if there is no sign of
> > BIND9 from that `nslookup` command, the odds are good that the
> recursive
> > server you use has an RPZ taint or will have within months.
> >
> >
> > > So although deploying RPZ does a reasonable job of papering over
> the
> > > cracks in our response to cybercrime I think that on balance it's
> too
> > > dangerous a tool for the IETF to wish to bless in any way -- it's
> poor
> > > social hygiene to standardise these types of tools.
> >
> > While I understand how a reasonable person can hold that position,
> > I think the papered cracks are not only less bad, but the best that
> > can be hoped for in the real world.
> >
> >
> > > I also note from reading the draft that this blessing will freeze
> in
> > > some rather ugly design (with the authors arguing that the
> installed
> > > base cannot adjust to something cleaner).
> >
> > That is not the intended meaning of the draft.  Instead it tried to
> > acknowledge the extreme difficulty of changing an installed base.
> > Words that convey that intended meaning would be appreciated.
> >
> >
> > Vernon Schryverv...@rhyolite.com 
> >
> > ___
> > DNSOP mailing list
> > DNSOP@ietf.org 
> > https://www.ietf.org/mailman/listinfo/dnsop
> > 
> >
> >
> >
> >
> > ___
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
>
>
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

[Barry Raveendran Greene]

> On Jan 1, 2017, at 6:00 AM, Ted Lemon  wrote:
> 
> There is no _way_ to make it easier for said outside forces to pressure 
> providers.   They have the force of law on their side.   What we do makes no 
> difference in that arena.   The arena in which it _does_ make a difference is 
> protecting people from losing their homes because they got suckered by some 
> malware that got into their personal records on their computer.
> 
> IOW, the argument you are presenting has nothing to do with the choice that 
> faces us.   If you want to make the case for rpz being a bad thing, the 
> argument you should be making would have to show why protecting people in 
> this way is the wrong solution to the problem, and why some other solution to 
> the problem (e.g., a blacklist in the browser) is less bad.
> 
> Can’t we have that conversation, instead of these repeated assertions about 
> things over which we have no control?

+1


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

[David Conrad]

Andre,

On Dec 20, 2016, at 9:49 PM, ac  wrote:
> I once made a very cool tool, it improved the life of many people as it
> allowed anyone to take over any pc running a certain operating system
> with the sole and great purpose of helping more users. It too was
> published, improved, altered and distributed widely
> 
> RPZ is like that.

No, it's not.

There is a rather striking difference between a tool I choose to deploy on my 
network that helps protects my users from external threats and a tool that 
allows an external entity to intrude on my users. If you do not understand 
this, there is a bigger problem to address.

> RPZ will be legitimized by this draft, it will be used and living human
> beings may actually die because of server software.

RPZ is legitimized by its use, not by the documentation describing that use.  
Proverbially sticking your head in the sand does not remove the carnivores that 
are eyeing the rest of your body.

> And, this is my final word on this, I apologize if anyone feels that I
> have wasted their time or offended them in any way. This was never my
> intention.

It would appear your intention is to school the ignorant masses in the errors 
of their ways. Personally, I'm always a bit nervous when someone decides they 
know what's best for me or the folks I might provide services for.

Regards,
-drc
(speaking only for myself)



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop