IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Ted Lemon <mellon@fugue.com> Wed, 21 December 2016 14:54 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB380129493 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 06:54:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43xMD-A9TrPL for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 06:54:20 -0800 (PST)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3833C129568 for <dnsop@ietf.org>; Wed, 21 Dec 2016 06:54:20 -0800 (PST)
Received: by mail-qk0-x236.google.com with SMTP id t184so83451182qkd.0 for <dnsop@ietf.org>; Wed, 21 Dec 2016 06:54:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LwirWZuN1WIfqZMzJMdMnMeZT5yOg0K6jVNVlLG4OFY=; b=DLbO7j2QneJ0Wi9ZO6ZsRCI+Zd/ng5WNshoMfotogOVQpcVj61ZN0QIvnVYwkcpdkG CeApa60KvMV5eyxUgRFOnjZELHf7sCLkpUp4ax/JRu5BgmC9/eIyT3d4CtyswceXMlNs f8UIl7NZj6R+1CzQxca+YxAW5UiU1GHb905rz3RwJYkatdHulj2Y7iBFmVrw/bfd+/Ul vj2avMPRgRvwzWaV1xKuRef2OPOlSj9IGrKxNBJulJi6GgKHs4pDrgSYsXAx6ntd30UE vN0M2cvmxsmWGT0I3C9gNfKEZ5345Nu3LNWJis/yj9aGhIhLR8ViUrqsGJIEp+bqVxzm Ttig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LwirWZuN1WIfqZMzJMdMnMeZT5yOg0K6jVNVlLG4OFY=; b=o0uT+AVfCCGmmNMehqPhq5Tm9HNzQ5Dmil+h2Gr04gXbdLGykOzZbdTfBbzgnHtuo8 8y0QQpVkaL7L1H1L1VCVEWajHg2FPrMOqvNWHc0IMccF7tTpIAiyl77aofsH3VjuHLUF 2H5sc41dWCTLA+HfoY5OlEcaaUqLXWfVTm+siEuGBRqTmN0fu2ixrBBFIr4trJk2elvq JsRPY9M2xRCXPpYeKexuUw158MJBK/TZKKCWAvNq8/bR3AdHCU+ojAmCwJlbETIYGJxV hj8FqMhDqTZkD92uocKNrlu35lnoUzBfpcLW5Xa+AlpWbaixz4QjlnqPlUdbVAOgPxAE QiiQ==
X-Gm-Message-State: AIkVDXKPAowSroBHsS4DbItsVyRrjLMx6X9Tsg/qoltt2pCWm9D1fgc6pnzl4auH4MW5ZA==
X-Received: by 10.55.162.16 with SMTP id l16mr5016287qke.168.1482332059364; Wed, 21 Dec 2016 06:54:19 -0800 (PST)
Received: from [192.168.1.229] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id c198sm15659888qka.48.2016.12.21.06.54.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Dec 2016 06:54:18 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <CACfw2hg_8nT_b6Syc1-wk_O92mzW0Zo0wX5xgMp5uhhu0Vom9A@mail.gmail.com>
Date: Wed, 21 Dec 2016 09:54:16 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <987B1C64-B85D-4316-8DE8-27D4A4AB8F9A@fugue.com>
References: <20161218224231.GB16301@odin.ulthar.us> <201612191535.uBJFZh7w091898@calcite.rhyolite.com> <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com> <CACfw2hg_8nT_b6Syc1-wk_O92mzW0Zo0wX5xgMp5uhhu0Vom9A@mail.gmail.com>
To: william manning <chinese.apricot@gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GLZRqtkJExgddb8W9W1hfOvxKGI>
Cc: Vernon Schryver <vjs@rhyolite.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 14:54:22 -0000

William, I think the exit strategy for RPZ is DNSSEC.   We really need to figure out how to get people to be able to reliably and safely set up DNSSEC.   Despite Olaf’s excellent documents, we don’t really have that yet.   I don’t think that operating DNSSEC should be as scary as it is, but right now all the IETF advice on this topic is too general, requiring the installer to make decisions about their setup that the average IT person doesn’t know how to make.

We should have a document that says "look, if you don’t know any better, here is a way to set up DNSSEC that will make your users more secure than they are without it, and that will not blow up in your face (assuming you do it)."   I’ve seen a few documents like that, but nothing out of the IETF; they are generally on someone’s personal web site, and don’t see wide distribution.

I think we need to stop thinking that there will be some shining day when the Internet is a safe place.  The internet is an ecosystem, and ecosystems have predators and parasites.   We may not like it, it may violate our ideals, but it is reality, and denying reality doesn’t make it go away.   What we should be doing is thinking like gardeners, not like machinists.  Gardeners sometimes have to use methods for dealing with pests that allow us to have yummy food but aren’t so good for the pests.   The same is true with the Internet.

(FWIW, I’m in favor of adoption, for precisely this reason.)

v2.23.0 | Report a Bug | By Email