Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Suzanne Woolf <> Mon, 13 March 2017 13:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E7D9128DF6 for <>; Mon, 13 Mar 2017 06:51:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WtG_x8xapD_m for <>; Mon, 13 Mar 2017 06:51:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 98518128824 for <>; Mon, 13 Mar 2017 06:51:49 -0700 (PDT)
Received: by with SMTP id v190so69526503pfb.1 for <>; Mon, 13 Mar 2017 06:51:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TdjW6b+RqQ6lkjMLYmbdMyvl4+ywrTFgZzo/HzW0F4E=; b=OHdzhKCXCOrSnq7b7025dEP+sg9MSuZqZ5A4MI2K7vt2jNG5jnXWD0VShkyCWd9TWy dHpuEXg3/CfOZ8KZbj14esZtENmb8H7kjAWXqaqknhP4VjxAm98pE8pAsGS3+bUyjBZd +E17HK2fiLOd1UPJglHPNe2qxjkiUKXtDHdAyMllgBojB4YO8SmEwbmePo2Tu+eCRpC0 yC+PvbXHQH9sfn5zyiYpWhOItlH56ZtPSCS3bsHs2ADDK9cjeliYXw3PSV7M9Mtww8zT b7ik//FSfnvnIhmE5NCWxEKMnf0vJuNgWdpR/uo4uoF+6fY43omPlA3O0xLGn0QqGzVX ViUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TdjW6b+RqQ6lkjMLYmbdMyvl4+ywrTFgZzo/HzW0F4E=; b=rlRuC/n8kAHogQfV2hhYle8YK07bK+p94T/B6+eaW/Had4/c9FVOwi7Dc42eStzr8s ++nRyzHcXYDOUVi391cw6Uys3skDJtyQfHV2iynTAZ7jHor+UDoF4C9JIWrAuyRFP2f1 vmfCs3BOcR0BsWQu6Fo+NI4SY7J5KfJtn+RTwiCtvbIajs8mF5dx/YMP/kfczTeK7jYI Zv31AaUV2igMJT4qW9S4odmXaPEs8HGgG2uUbmSo9B6UeRFwhg/NpiPCbbIthqtjBGU+ vyfPGABKbSr/rWu1Dc+YStbUHPaZ7cm1B4hbdA32veii4fKOQaA2NRhtbfEvZog5Aq1J zXAg==
X-Gm-Message-State: AMke39lGm2A/bI8ReHTqkwQMPzZimfiDkKYRO0Lb1oPUCrvC1EitwcZE7xKemoM+fZZgZw==
X-Received: by with SMTP id z188mr37442882pgb.164.1489413108956; Mon, 13 Mar 2017 06:51:48 -0700 (PDT)
Received: from ?IPv6:2620:f:8000:210:58b1:72f3:fa4a:5633? ([2620:f:8000:210:58b1:72f3:fa4a:5633]) by with ESMTPSA id 132sm33290083pgf.27.2017. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 13 Mar 2017 06:51:48 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Suzanne Woolf <>
In-Reply-To: <>
Date: Mon, 13 Mar 2017 09:51:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <>
To: Ray Bellis <>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Mar 2017 13:51:51 -0000


Per assorted comments in this thread….a couple of observations from one WG chair.

It’s my sense at least that the WG was clear that there’s some interest in publishing an informational document about RPZ, given that it’s widely deployed and considered useful by certain admins in certain situations, but that such a potential RFC should have more detailed discussion than the initial draft of drawbacks and cautions regarding the use of this technology.

It also seemed to me that the usual rules apply: authors on a WG document are committed to working through WG discussion to consensus. If that doesn’t work out, the authors can be replaced or the document abandoned.

I still think there’s a possible consensus view that will allow a version of this document to proceed, if it meets the constraints we’ve discussed. If not, we will not have consensus to advance it, and an eventual WGLC will tell us so. As our AD pointed out, that’s awkward but hardly unprecedented.

Finally, folks should feel free to offer the cautions they think the document should include, but as Andrew already noted, text that claims to speak for the IAB or ISOC or other organizations is out of scope for us as an IETF WG and will not be added to the document.


> On Mar 13, 2017, at 3:46 AM, Ray Bellis <> wrote:
> On 13/03/2017 05:35, william manning wrote:
>> Joel,
>> I'd be happy to see the document proceed under two conditions:  1) it
>> becomes a WG document, subject to IETF change control, and 2) that the
>> disclaimer requested back on 20170103 be added to the document. To
>> refresh the collective mind, here is the missing text:
>> applicability statement.
>> This draft is documents a process and method for intercepting DNS
>> queries and fabricating responses to redirect the querier into a walled
>> garden or enclave that is NOT part of the open Internet. Adoption and
>> acceptance of this draft is an acknowledgement that the IETF, the IAB
>> and ISOC reject the principles espoused
>> at
>> <>, in particular article 3. 
>> Collective Empowerment insofar as the evolution of the DNS is concerned.
> Very strong -1 against that text, here!
> RPZ is already in very widespread use on the open Internet, especially
> as a means to protect end users against botnet C&C hosts.
> Ray
> ob. disclaimer - I work for a DNS vendor that implements RPZ
> _______________________________________________
> DNSOP mailing list