IETF Logo Mail Archive

Re: [DNSOP] adoption mechanics and disclaimers wrt dns-rpz

joel jaeggli <joelja@bogus.com> Tue, 21 March 2017 02:18 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800861316D9 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrHGqSeyNwVO for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:18:26 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C0AD1316DD for <dnsop@ietf.org>; Mon, 20 Mar 2017 19:18:25 -0700 (PDT)
Received: from mbp-4.local (c-73-202-177-209.hsd1.ca.comcast.net [73.202.177.209]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id v2L2IM0X056612 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 21 Mar 2017 02:18:22 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host c-73-202-177-209.hsd1.ca.comcast.net [73.202.177.209] claimed to be mbp-4.local
To: Warren Kumari <warren@kumari.net>, Paul Vixie <vixie@fsi.io>
References: <2232822.T0nP9Ksjf9@linux-hs2j> <CAHw9_i+q1BH25RLA=kZg7NB7re1GvAWVrOehzCDQi+U_USvovw@mail.gmail.com>
Cc: DNSOP <dnsop@ietf.org>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <828ea148-8571-a572-762c-a138581577d4@bogus.com>
Date: Mon, 20 Mar 2017 19:18:16 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAHw9_i+q1BH25RLA=kZg7NB7re1GvAWVrOehzCDQi+U_USvovw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="uAT8DEWcoEAG6ITw2jNi6spAWxeTkfvlR"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9relLVrW5Xv7-NmBdA6BcSAOqns>
Subject: Re: [DNSOP] adoption mechanics and disclaimers wrt dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:18:28 -0000

On 3/20/17 8:15 AM, Warren Kumari wrote:
> On Mon, Mar 20, 2017 at 12:55 AM, Paul Vixie <vixie@fsi.io> wrote:
>> on sunday march 12, chinese.apricot@gmail.com wrote as follows:
>>
>>> I'd be happy to see the document proceed under two conditions:  1) it
>>> becomes a WG document, subject to IETF change control, and 2) that the
>>> disclaimer requested back on 20170103 be added to the document. To refresh
>>> the collective mind, here is the missing text:
>>>
>>> applicability statement.
>>>
>>> This draft is documents a process and method for intercepting DNS queries
>>> and fabricating responses to redirect the querier into a walled garden or
>>> enclave that is NOT part of the open Internet. Adoption and acceptance of
>>> this draft is an acknowledgement that the IETF, the IAB and ISOC reject the
>>> principles espoused at https://open-stand.org/about-us/principles/, in
>>> particular article 3.  Collective Empowerment insofar as the evolution of
>>> the DNS is concerned.
>> i was not subscribed at the time, so i'm working from the archives. the above
>> quoted text is wrongheaded and its proposals unacceptable in several ways.
>>
>> first, the document has been adopted, but is not subject to ietf change
>> control.
>
> Authors (and DNSOP),
>
> It appears that this may have been a process violation here - RFC5378
> Section 3.3. Right to Produce Derivative Works seems to say that the
> IETF needs change control before a WG can formally adopt a document. I
> believe that we missed the fact that this included "non-standard"
> copyright boilerplate.
>
> I / we are still investigating, and would appreciate it if the WG
> gives us some time to figure this out.
Hi,

It appears to be the case that the author's statement above necessarily
precludes adoption as a working group document. It is not uncommon for
documents to have terms applied to them  that are incompatible with
working group adoption. Those are sometimes altered on adoption,
processed as individual submissions, or through another stream (external
standards require special handling for example, rfc 5830). Applying the
tlp 5  section 6c limitations is obviously at the discretion of the
contributors and may be changed at any time.

thanks
joel
> W
>
>
>> rather, the authors will attempt to modify the text to suit the
>> consensus position of the WG, and at publication time, rights to create
>> derivative works will be released to the IETF. so, the WG has domain over the
>> meaning of the final document and the content of future documents, but not
>> over the content of the final document. the authors want to work with the
>> community to ensure that a consensus document is published, but we do not want
>> to open the door to wrongheaded and unacceptable wordings typified by the
>> above.
>>
>> second, your disclaimer won't be added, and if the consensus of the WG is that
>> it must be added, then the standardization activity of dns-rpz will fail. you
>> are free to pitch your ideas, and the authors are free to try to accommodate
>> those ideas, but the final arbiter of whether accommodation is necessary or
>> has been accomplished is WG consensus, not the authors, and not any WG member.
>>
>> third, ignoring completely the words and the wording of your proposed
>> applicability statement, and focusing purely on the ideas it contains, let's
>> dispense with the nonsequiturs and canards as follows:
>>
>> * queries are not intercepted; they are processed differently and deliberately
>> by an RDNS server which has voluntarily subscribed to explicit policy sources.
>>
>> * response fabrication is in this case a service desired by the end-user and
>> by the RDNS operator, thus, "fabrication" has improper connotation.
>>
>> * redirection is by no means the only capability offered.
>>
>> * walled gardens or enclaves may, or may not, be part of the open internet.
>>
>> * adoption and acceptance does not acknowledge anything like what's shown.
>> rather, it's an acknowledgement that the internet now does work this way, at
>> the deliberate and voluntary behest of its RDNS operators and users, and that
>> a specification document has two boons: in the short term, giving implementors
>> and publishers a single authoritative reference for how dns-rpz works now;
>> and, giving change control of the dns-rpz protocol itself over to the IETF
>> upon this document's publication, so that the community can drive changes in
>> the protocol henceforth.
>>
>> i did not note any second or other voice in favour of this amendment, and due
>> to the vacuous pseudo-mumbo alt-jumbo of the proposal, i predict there will be
>> no other voice in favour of it.
>>
>> so, the authors propose a replacement for the current abstract:
>>
>>>     This document describes a method for expressing DNS response policy
>>>     inside a specially constructed DNS zone, and for recursive name
>>>     servers to use such policy to return modified results to DNS clients.
>>>     Such modified DNS results might prevent access to selected HTTP servers,
>>>     or redirect users to "walled gardens", or block objectionable email, or
>>>     otherwise defend against DNS content deemed malicious by the RDNS
>>>     operator or end-user. These so-called "DNS Firewalls" are widely used in
>>>     fighting Internet crime and abuse.
>>>
>>>     Like other mechanisms called "firewalls," response policy zones (RPZ)
>>>     can be used to block wanted SMTP, HTTP, and other data as well as
>>>     unwanted data.  RPZ ought not be used to interfere with data desired by
>>>     recipients. In other words, RPZ should be deployed only with the
>>>     permission of any and all affected RDNS end-users.
>>>
>>>     This document does not recommend the use of RPZ in any particular
>>>     situation or instead of other mechanisms including those more
>>>     commonly called "firewalls." This document lacks an applicability
>>>     statement for that reason, and because it merely describes a currently
>>>     common practice, without recommending or criticising that practice.
>> please chime in if you're for or against this proposed text, or if for some
>> incomprehensible reason you are in favour of chinese.apricot@gmail.com's
>> proposal from march 12 and want it to be further considered or debated.
>>
>> the authors will work toward consensus, but not arbitrarily so.
>>
>> vixie
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
>

v2.23.0 | Report a Bug | By Email