Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Viktor Dukhovni <> Wed, 21 December 2016 20:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CCEB129430 for <>; Wed, 21 Dec 2016 12:01:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YbD1Et-JROSb for <>; Wed, 21 Dec 2016 12:01:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD3161295A6 for <>; Wed, 21 Dec 2016 12:01:05 -0800 (PST)
Received: by (Postfix, from userid 1034) id E804A284DEF; Wed, 21 Dec 2016 20:01:04 +0000 (UTC)
Date: Wed, 21 Dec 2016 20:01:04 +0000
From: Viktor Dukhovni <>
To: dnsop <>
Message-ID: <>
References: <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Dec 2016 20:01:18 -0000

On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote:

> RPZ is not the ideal, but it works, and goes beyond being deployable–it is
> deployed.

I am curious to understand how RPZ zone transfers are (intended to
be) secured.  It sounds like the reason for standardizing RPZ is
to allow interoperable sharing of policies via replication of zone
data, and so an appropriate security mechanism would seem to be
desirable here to authenticate the transfer of data from the RPZ
master zone.  Is there a related specification for that?

As a (long-ago) emigre from the then Soviet Union, I am loathe to
see the IETF standardizing scalable censorship mechanisms, however
well intentioned.  Let's hope that skepticism of such "progress"
can evolve without the personal experience of having lived under
a totalitarian regime.

Once the infrastructure that RPZ makes possible is deployed at
scale, it will surely become increasingly difficult to bypass.
This proposal is a major step towards building the Great Firewall
of <your CountryName>, and should I believe be resisted.