IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

ac <ac@main.me> Mon, 19 December 2016 08:43 UTC

Return-Path: <ac@main.me>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0059129455 for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 00:43:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=main.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zg0q3ml5kyol for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 00:43:12 -0800 (PST)
Received: from web.hostacc.com (hostacc.com [188.40.114.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA708128DF6 for <dnsop@ietf.org>; Mon, 19 Dec 2016 00:43:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=main.me; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Subject:Cc:To:From:Date:Sender:Reply-To:Message-ID:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QoUbBOAWndob9zaa7y+jfey6ExbhiD60EzzmpQutXek=; b=EizskZL7O+HlLtVCD6tsvNddx2 YoSdNM94q/CUNtqFLVeHPZs1B29PRwscx1L7FYkrvKH+MqitZmzo0gzObDM80Koxbpe6mB2PZcYjl qHzt3eSehPNU8WO6jCt8dlrtUluWPMW79yIfgpP9v88mG/6dhqnWaK7OSfBRLoI9fgdqAgK+pfVOG hEJbfGssATKhvMKDysxGCgfOLVDzFnD/ozTWzPtHRWU43xiNQ8ebACeCRvh1O759Aeo6VZQgMIaNd 82jVmxqjYd6AmXiwCa6prBj7k9i2R+t5Iaybs8t5+xFMalf7SGWpQWbbSth9462cxSjU/rNDSuyun xAFHothA==;
Received: from [165.255.65.6] (port=44806 helo=tree.nuts.me) by web.hostacc.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <ac@main.me>) id 1cItXI-0007dU-Qb; Mon, 19 Dec 2016 09:43:09 +0100
Date: Mon, 19 Dec 2016 10:42:35 +0200
From: ac <ac@main.me>
To: sthaug@nethelp.no
In-Reply-To: <20161219.091628.74720462.sthaug@nethelp.no>
References: <20161219050559.6F643129497@ietfa.amsl.com> <5CAA0C17-B3F6-4518-90EC-9B0C59D75194@fl1ger.de> <20161219072930.8E646129530@ietfa.amsl.com> <20161219.091628.74720462.sthaug@nethelp.no>
Organization: acmain
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web.hostacc.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - main.me
X-Get-Message-Sender-Via: web.hostacc.com: authenticated_id: ac@main.me
X-Authenticated-Sender: web.hostacc.com: ac@main.me
X-Source:
X-Source-Args:
X-Source-Dir:
Message-Id: <20161219084311.EA708128DF6@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5dU8BDty4giiOGhPYYiZ1nm5lXg>
Cc: dnsop@ietf.org, dns@fl1ger.de
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 08:43:13 -0000

On Mon, 19 Dec 2016 09:16:28 +0100 (CET)
sthaug@nethelp.no wrote:
> > > So if this is the IP of a phishing site or the IP of an command
> > > and control host that tells its bot to execute criminal action
> > > you still valid the accuracy of the answer higher then possible
> > > damage this could do to your user?
> > yes. 
> > In your example, ethically, it is a problem that should be
> > addressed on IP, not on DNS
> > 
> > It is never okay to tell lies.
> 
> Unfortunately the real world isn't that simple.
> 
it actually is.

> Sometimes you are required by law to tell lies. Case in point: Various

it still is never okay to lie and to deceive.

If the law requires you to answer example.com as ipv4 xxx.xxx.xxx.xxx

The law does not say : send "Pirate Bay" to "example.com" to deceive
your users! it may instruct you to send coca-cola.org to coca-cola.com

but I am not aware of any court (on the planet?) that instructs people
to lie, cheat, steal or deceive - maybe in the interests of national
security, etc. - but arguing that is like pulling the dam from underneath the duck.

 so, factually, the law is not instructing you to lie or to deceive.

the law is saying: do not resolve "pirate bay" or lie to your users or
deceive your users!

Why would you say (or think that?)

your reply is not addressing dishonesty at all?

This is simply  about ethics. 

is it okay to be dishonest, to deceive and where is the ethical line

More specifically: When do you become me - when there is an RFC to
describe methods to steal? - i.e more direct than fraud?


Andre

<snip - left for context>
/*
> domains belonging to Pirate Bay and several other torrent providers
> have been explicitly blocked in Norway - explicitly as in: The biggest
> ISPs in Norway (I happen to work for one of these) have been told by
> the Oslo district court to block access to a list of domains supplied
> by the court, and that this is to be implemented through DNS blocking
> (lies, if you will).
> 
> It doesn't matter whether I *like* this or not, and it also doesn't
> matter whether the domains in question are easily available by using
> OpenDNS, Google Public DNS, running your own name server, etc. ISPs
> are still required to block access as long as the verdict from the
> Oslo district court is valid.
> 
> Today this blocking is done without using RPZ. Having RPZ standardized
> and implemented in more DNS software would make it possible to perform
> the same blocking as mentioned above with fewer moving parts and thus
> a simpler system less likely to have "interesting" failure modes.
> 
> Note that it makes absolutely no difference to the blocking described
> above whether the RPZ draft is published as an RFC or not - in both
> cases the blocking would still be performed, because it is required
> by law.
> 
> Steinar Haug, AS2116

*/

v2.23.0 | Report a Bug | By Email