Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

william manning <chinese.apricot@gmail.com> Tue, 03 January 2017 17:18 UTC

Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2D9129A63 for <dnsop@ietfa.amsl.com>; Tue, 3 Jan 2017 09:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5_pCd-Mvf6q for <dnsop@ietfa.amsl.com>; Tue, 3 Jan 2017 09:18:36 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64430129A5E for <dnsop@ietf.org>; Tue, 3 Jan 2017 09:18:36 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id h133so198310292ioe.3 for <dnsop@ietf.org>; Tue, 03 Jan 2017 09:18:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HVBvsV1WoxchL8sCwx7CexC0hGU2H9N4yvrtYwiOD7o=; b=q+qhMREHP4KtCjoYo3bxAosPbE5Ajcirin3NcEWiWHBLJoPjoQ/WXXoi30F2OR1aV/ wgfOHZwwWMYJMB3mN+3w/5QrNvctjT0TFB3WosBldHcrzyluu7j0xQjSG/puxhuOSX/x GIr1uaeMRUWyl4rsO4guPa4pWievhxBBaHhUM3l9m3LSIo50npwxaAyn1yxojaVVWGR0 /FyOgjFsK5cvmDWw/kQXyyiin6D49d6w+jaVHvm3VLMRhQN4Is9zhKqeZt8Go1+mQmsI 4m4MSbmo9TdEZJiV5ff7hFfCFTbT8UbT/2j5inQG5GbJ11AcFXIJgpcKCx+w6Mxg/4dJ OJhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HVBvsV1WoxchL8sCwx7CexC0hGU2H9N4yvrtYwiOD7o=; b=nU6vXtK6OT/xzqq6KKZ64ygVkzZW+6kfE3Wv8PU+rIATBf+/Ul1napq/BdaImzRe5K PpjgXn29EEtUpwZ+2DT9jXJLPVLWf+TP8engw18GphIMbrSI8LhkRc57Fp8f00ACGekL m56Q6/yaEBIA0mbF0hGY+KAYiwutXCcu3PQj0Ch1LhYm/PBgFqKK5Z39zAuOmz/B2h58 K1BGc40p97ec/TAmoC7ELsrk7Ibz8jYjH3v86ELgwrqbzH50lfEOLHZ0uZCdNQac63xa hGw1twymGKn28JudkbS8Y1Tp4wgu7o8kOp5aLrZyy8el5a0dv2JpWcKOkkabzomtZroc ujaA==
X-Gm-Message-State: AIkVDXJVovlxkhIUo7aTb91XWhi2WJ1sddAiYcjTCqIym1Rox7fYk9LEUxGU4MoRydRBrzrc3QeEZE++JELBgA==
X-Received: by 10.107.9.198 with SMTP id 67mr1178116ioj.0.1483463915692; Tue, 03 Jan 2017 09:18:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.159.137 with HTTP; Tue, 3 Jan 2017 09:18:34 -0800 (PST)
In-Reply-To: <c22dbbb7-2075-3743-c53f-70ee8ce0f42a@bogus.com>
References: <kHKKXtEjTQZYFAGI@highwayman.com> <201612291815.uBTIFdW4015802@calcite.rhyolite.com> <CACfw2hi4Yu87CEfAaDLT0GuzQ8_nEF8hAnfXsPa4NmixB35cAA@mail.gmail.com> <c22dbbb7-2075-3743-c53f-70ee8ce0f42a@bogus.com>
From: william manning <chinese.apricot@gmail.com>
Date: Tue, 03 Jan 2017 09:18:34 -0800
Message-ID: <CACfw2hhSH5DFBOkt5GOZNNqqRdmYCSZLeot3Pd75d6kCjbhh=Q@mail.gmail.com>
To: joel jaeggli <joelja@bogus.com>
Content-Type: multipart/alternative; boundary="001a113ec2c4bb8afe054533db2b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9OpcGv5cALXihKhE3hShh0HZDoo>
Cc: Vernon Schryver <vjs@rhyolite.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 17:18:38 -0000

ok.   here is a draft applicability statement.

This draft is documents a process and method for intercepting DNS queries
and fabricating responses to redirect the querier into a walled garden or
enclave that is NOT part of the open Internet. Adoption and acceptance of
this draft is an acknowledgement that the IETF, the IAB and ISOC reject the
principles espoused at https://open-stand.org/about-us/principles/, in
particular article 3.  Collective Empowerment insofar as the evolution of
the DNS is concerned.

/Wm


On Thu, Dec 29, 2016 at 6:30 PM, joel jaeggli <joelja@bogus.com> wrote:

> On 12/29/16 1:51 PM, william manning wrote:
> > "lets standardize this 'cause everyone does it"  sounds like the medical
> > community should have standardized on whiskey & leaches & coat hangers
> > because thats what everyone did.  if this work does proceed, i'd like to
> > insist that it carry a disclaimer that it is designed specifically for
> > closed networks and is not to be used in the Internet.
>
> this sounds like an aplicability statement to be included in the
> introduction.
>
> > Indeed, thedraft is very clear this is for enclaves and not for open
> > Internet use.
> >
> >
> > /Wm
> >
> > On Thu, Dec 29, 2016 at 10:15 AM, Vernon Schryver <vjs@rhyolite.com
> > <mailto:vjs@rhyolite.com>> wrote:
> >
> >     > From: Richard Clayton <richard@highwayman.com
> >     <mailto:richard@highwayman.com>>
> >
> >     > Everyone involved understands that there isn't at present a turnkey
> >     > application that the other 5% (and indeed all the in-house
> corporate
> >     > systems) could deploy....
> >
> >     I do not understand that.
> >     If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
> >     shell or Windows command prompt on your desktop says anything about
> >     BIND, then chances are good that you are already using one of the
> >     turnkey applications that in-house corporate systems and others have
> >     already deployed and could configure.  Even if there is no sign of
> >     BIND9 from that `nslookup` command, the odds are good that the
> recursive
> >     server you use has an RPZ taint or will have within months.
> >
> >
> >     > So although deploying RPZ does a reasonable job of papering over
> the
> >     > cracks in our response to cybercrime I think that on balance it's
> too
> >     > dangerous a tool for the IETF to wish to bless in any way -- it's
> poor
> >     > social hygiene to standardise these types of tools.
> >
> >     While I understand how a reasonable person can hold that position,
> >     I think the papered cracks are not only less bad, but the best that
> >     can be hoped for in the real world.
> >
> >
> >     > I also note from reading the draft that this blessing will freeze
> in
> >     > some rather ugly design (with the authors arguing that the
> installed
> >     > base cannot adjust to something cleaner).
> >
> >     That is not the intended meaning of the draft.  Instead it tried to
> >     acknowledge the extreme difficulty of changing an installed base.
> >     Words that convey that intended meaning would be appreciated.
> >
> >
> >     Vernon Schryver    vjs@rhyolite.com <mailto:vjs@rhyolite.com>
> >
> >     _______________________________________________
> >     DNSOP mailing list
> >     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/dnsop
> >     <https://www.ietf.org/mailman/listinfo/dnsop>
> >
> >
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
>
>
>