Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread ac
On Mon, 19 Dec 2016 07:53:42 +0100 "Ralf Weber" wrote: > Moin! > Aloha > > DNS admins also have a fiduciary responsibility to their users. > > Other services also have implied fiduciary responsibility, like > > email, but DNS is a direct service - Your user is asking you, right > > now, for a

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread Ralf Weber
Moin! On 19 Dec 2016, at 6:05, ac wrote: > On Sun, 18 Dec 2016 23:45:34 + > "Adrien de Croy" wrote: >>> If the admin's goal is to block access to malicious sites, then >>> they want to block the traffic, not falsify DNS. If the goal is >>> to warn users away from bad places, they can publis

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread ac
On Sun, 18 Dec 2016 23:45:34 + "Adrien de Croy" wrote: > > If the admin's goal is to block access to malicious sites, then > > they want to block the traffic, not falsify DNS. If the goal is > > to warn users away from bad places, they can publish the list as a > > filter for end-system f

Re: [DNSOP] warning

2016-12-18 Thread ac
On Sun, 18 Dec 2016 10:45:57 -0800 william manning wrote: this became very relevant to DNSOP list again... > SMTP configuration is not relevant... That said, the morphing of open > SMTP services to the tightly controlled heirarchy and draconian > locally administered rules which prevent delivery

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread Adrien de Croy
> If the admin's goal is to block access to malicious sites, then they > want to block the traffic, not falsify DNS. If the goal is to warn > users away from bad places, they can publish the list as a filter for > end-system firewalls. That may be your view about how blocking should work, but

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread Scott Schmit
On Sun, Dec 18, 2016 at 07:59:44PM +, Tony Finch wrote: > Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > > DNSSEC-signed data, so if a validating end-system is going to have its > > behavior modified, it would need to opt in. > > That's not e

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-18 Thread Tony Finch
Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > DNSSEC-signed data, so if a validating end-system is going to have its > behavior modified, it would need to opt in. That's not entirely true. An RPZ setup can lie regardless of whether a client

Re: [DNSOP] warning

2016-12-18 Thread william manning
SMTP configuration is not relevant... That said, the morphing of open SMTP services to the tightly controlled heirarchy and draconian locally administered rules which prevent delivery are EXACTLY what this draft proposes for the DNS. On Sunday, 18 December 2016, Tim Wicinski wrote: > Jim is corr

Re: [DNSOP] reducing the crap going to the root

2016-12-18 Thread Jim Reid
> On 18 Dec 2016, at 15:46, Burkov Dmitry wrote: > > Jim, > but you raise for me another question - if 90% will be served by google,etc - > what the real value and role of the roots? Dima, that’s a question to be answered by people well above our pay grade and we shouldn’t go down that partic

Re: [DNSOP] reducing the crap going to the root

2016-12-18 Thread Burkov Dmitry
Jim, but you raise for me another question - if 90% will be served by google,etc - what the real value and role of the roots? Dima > On Dec 18, 2016, at 6:32 PM, Jim Reid wrote: > > >> On 18 Dec 2016, at 15:11, Ralf Weber wrote: >> >> There are other ways of reducing the crap to the root ser

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

2016-12-18 Thread Shane Kerr
Bill, At IETF 96 in Berlin, Warren gave a presentation discussing how Google is using this in their recursive servers. Here's the link to the recorded video for the whole dnsop session: http://recs.conf.meetecho.com/Playout/watch.jsp?recording=IETF96_DNSOP&chapter=chapter_1 For me the most inter

[DNSOP] reducing the crap going to the root

2016-12-18 Thread Jim Reid
> On 18 Dec 2016, at 15:11, Ralf Weber wrote: > > There are other ways of reducing the crap to the root servers (RFC 7706). I > don't think NSEC Agressive use will reduce crap a lot as if I remember > correctly from Geoff Houstons last presentation still around 80% of the > resolver don't use

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

2016-12-18 Thread Ralf Weber
Moin! On 17 Dec 2016, at 20:25, David Conrad wrote: I presume NSEC Aggressive Use will significantly reduce the amount of crap hitting the root servers. There are other ways of reducing the crap to the root servers (RFC 7706). I don't think NSEC Agressive use will reduce crap a lot as if I re

Re: [DNSOP] warning

2016-12-18 Thread Tim Wicinski
Jim is correct, this is not relevant tim On 12/18/16 7:37 AM, Jim Reid wrote: On 18 Dec 2016, at 12:28, sth...@nethelp.no wrote: You're saying that most spam messages contain a Message-ID header. Please take this discussion somewhere else. It is not appropriate for dnsop. ___

Re: [DNSOP] warning

2016-12-18 Thread Jim Reid
> On 18 Dec 2016, at 12:28, sth...@nethelp.no wrote: > > You're saying that most spam messages contain a Message-ID header. Please take this discussion somewhere else. It is not appropriate for dnsop. ___ DNSOP mailing list DNSOP@ietf.org https://www.

Re: [DNSOP] warning

2016-12-18 Thread sthaug
> Regarding "Message-ID header" - factually, over 80% of all spam > (I have not bothered to do the actual number check, it is probably closer > to 99.99% but I am erring on the side of caution - as this is science > and not opinion, it is what it is) > > - All contain a Message-ID header. You

Re: [DNSOP] warning

2016-12-18 Thread ac
On Sun, 18 Dec 2016 07:59:30 GMT Vernon Schryver wrote: > > From: ac > > To: dnsop@ietf.org > > If any of you are thinking about speaking your mind, there are > > consequences. > What consequences are those, besides subjecting me to two instead of > only one copy of a message that doesn't seem to

Re: [DNSOP] warning

2016-12-18 Thread Vernon Schryver
> From: ac > To: dnsop@ietf.org > If any of you are thinking about speaking your mind, there are consequences. What consequences are those, besides subjecting me to two instead of only one copy of a message that doesn't seem to contain improved words for the RPZ draft? > v...@rhyolite.com > ho