Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Paul Wouters <paul@nohats.ca> Wed, 21 December 2016 15:53 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FEB11294F8 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 07:53:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SncCHUisFrH for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 07:53:30 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67416129413 for <dnsop@ietf.org>; Wed, 21 Dec 2016 07:53:30 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3tkK203Sgzz365 for <dnsop@ietf.org>; Wed, 21 Dec 2016 16:53:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1482335608; bh=w/90UwdHW82xxr/V81RG+9EF4xvcbrvKQTRAmGPhNQ0=; h=Date:From:To:Subject:In-Reply-To:References; b=sUK1mGIYCyNFV9ijn9yog5LwCdJ0Gr7luVuEvLFwJuMW3p/gkr12lft+kk0THCrZM 59oar133Cx+SnE/eVoVMbcA8PIn9V/L04oukpXIY2u3jQbNnEMUUbOrp5z7fwLQpwr xSYtSy8LzyS8L4ZHozSFwMW1knhAJygi8ESjy6V8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Sfp3nQ0yiaoB for <dnsop@ietf.org>; Wed, 21 Dec 2016 16:53:27 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Wed, 21 Dec 2016 16:53:27 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 6B39991B; Wed, 21 Dec 2016 10:53:25 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 6B39991B
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 543AC413504D for <dnsop@ietf.org>; Wed, 21 Dec 2016 10:53:25 -0500 (EST)
Date: Wed, 21 Dec 2016 10:53:25 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <20161221.163826.74705202.sthaug@nethelp.no>
Message-ID: <alpine.LRH.2.20.1612211047200.13966@bofh.nohats.ca>
References: <C18E2D4E-EE89-4AF6-B4A0-FAD1A7A01B5E@vpnc.org> <5248A099-7E1F-437A-A1B7-C300F917D273@fl1ger.de> <CACfw2hj4VfuqsM-jRpxNc+bWNsUcSid+Y=r9U5jsA-0ZLbLRUg@mail.gmail.com> <20161221.163826.74705202.sthaug@nethelp.no>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fm0z1T7F3dGqXchEPeFq1FzXWHg>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 15:53:31 -0000

On Wed, 21 Dec 2016, sthaug@nethelp.no wrote:

> Since operator participation was mentioned,
>
> <op hat on>
>
>> this draft actively destroys trust in the DNS, which reduces trust in the
>> Internet overall.
>
> No, this draft simply specifies what operators are already doing. Not
> because they are intent on destroying trust in the DNS or the Internet,
> but because they are forced to do this by governments, they need to
> protect their own network, they would like to protect their customers,
> and lots of other reasons.

There are two things you mixed together:

1) industry based filtering of DNS - a commercial opt-in service offering

2) government mandated filtering of DNS - A misguided breakage of
    protocol forced upon operators.

And 1) should not need to break DNSSEC. IETF should come up with a
better solution for signaling a DNS lookup might be unhealthy for
the enduser.

For 2) if it breaks DNSSEC, that is fine. Governments will learn that
ISPs are not the right tools for censorship, and endnodes will simply
bypass the ISP DNS resolver.

> It's possible that the ball will be dropped on this one like it was for
> NAT. That would be stupid, IMHO.

The NAT example is as much overused by those in favour and against it.
It has no relation to this issue whatsoever.

Paul