Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Tony Finch <dot@dotat.at> Tue, 03 January 2017 14:29 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6F191299B7 for <dnsop@ietfa.amsl.com>; Tue, 3 Jan 2017 06:29:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c48JdSWI8e2f for <dnsop@ietfa.amsl.com>; Tue, 3 Jan 2017 06:29:12 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) by ietfa.amsl.com (Postfix) with ESMTP id 63DEA1294C1 for <dnsop@ietf.org>; Tue, 3 Jan 2017 06:29:12 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:51859) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1cOQ5N-000MZF-0u (Exim 4.86_36-e07b163) (return-path <dot@dotat.at>); Tue, 03 Jan 2017 14:29:09 +0000
Date: Tue, 03 Jan 2017 14:29:08 +0000
From: Tony Finch <dot@dotat.at>
To: joel jaeggli <joelja@bogus.com>
In-Reply-To: <c22dbbb7-2075-3743-c53f-70ee8ce0f42a@bogus.com>
Message-ID: <alpine.DEB.2.11.1701031419220.7102@grey.csi.cam.ac.uk>
References: <kHKKXtEjTQZYFAGI@highwayman.com> <201612291815.uBTIFdW4015802@calcite.rhyolite.com> <CACfw2hi4Yu87CEfAaDLT0GuzQ8_nEF8hAnfXsPa4NmixB35cAA@mail.gmail.com> <c22dbbb7-2075-3743-c53f-70ee8ce0f42a@bogus.com>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-sqqqZgdbvqvh8D8tO_ZpOXQAYc>
Cc: Vernon Schryver <vjs@rhyolite.com>, dnsop <dnsop@ietf.org>, william manning <chinese.apricot@gmail.com>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 14:29:13 -0000

joel jaeggli <joelja@bogus.com> wrote:
> On 12/29/16 1:51 PM, william manning wrote:

> > if this work does proceed, i'd like to insist that it carry a
> > disclaimer that it is designed specifically for closed networks and is
> > not to be used in the Internet.
>
> this sounds like an aplicability statement to be included in the
> introduction.

I don't understand what "not to be used in the Internet" means for RPZ.

Part of the point of standardizing it is interoperability between multiple
RPZ resolver implementations and multiple RPZ data providers. The
resolver operator gets the RPZ data via IXFR across the Internet. Is this
bad?

Or maybe "not to be used in the Internet" is something to do with who uses
resolvers with RPZ blocks. Open resolvers are horrible abuse magnets and
should not be available for use by the whole Internet unless their
operators have impressive anti-DDoS skills. But that isn't an RPZ-specific
problem.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Southwest Shannon: Southeasterly 5 to 7. Moderate or rough. Fair. Good.