Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

[sthaug@nethelp.no]

> > So if this is the IP of a phishing site or the IP of an command and
> > control host that tells its bot to execute criminal action you still
> > valid the accuracy of the answer higher then possible damage this
> > could do to your user?
> > 
> yes. 
> 
> In your example, ethically, it is a problem that should be addressed on IP, not on DNS
> 
> It is never okay to tell lies.

Unfortunately the real world isn't that simple.

Sometimes you are required by law to tell lies. Case in point: Various
domains belonging to Pirate Bay and several other torrent providers
have been explicitly blocked in Norway - explicitly as in: The biggest
ISPs in Norway (I happen to work for one of these) have been told by
the Oslo district court to block access to a list of domains supplied
by the court, and that this is to be implemented through DNS blocking
(lies, if you will).

It doesn't matter whether I *like* this or not, and it also doesn't
matter whether the domains in question are easily available by using
OpenDNS, Google Public DNS, running your own name server, etc. ISPs
are still required to block access as long as the verdict from the
Oslo district court is valid.

Today this blocking is done without using RPZ. Having RPZ standardized
and implemented in more DNS software would make it possible to perform
the same blocking as mentioned above with fewer moving parts and thus
a simpler system less likely to have "interesting" failure modes.

Note that it makes absolutely no difference to the blocking described
above whether the RPZ draft is published as an RFC or not - in both
cases the blocking would still be performed, because it is required
by law.

Steinar Haug, AS2116