Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Nolan Berry <nolan.berry@RACKSPACE.COM> Wed, 21 December 2016 20:45 UTC

Return-Path: <nolan.berry@RACKSPACE.COM>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D9E361295F0 for <>; Wed, 21 Dec 2016 12:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7kfddmzrKMx6 for <>; Wed, 21 Dec 2016 12:45:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 13EF31295E7 for <>; Wed, 21 Dec 2016 12:45:01 -0800 (PST)
Received: from (unknown []) by Websense Email with ESMTPS id 300353E76FA4F for <>; Wed, 21 Dec 2016 20:45:00 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.27; Wed, 21 Dec 2016 14:44:59 -0600
Received: from ([fe80::a9b4:eb1f:fbff:fa9b]) by ([fe80::a9b4:eb1f:fbff:fa9b%26]) with mapi id 15.01.0544.027; Wed, 21 Dec 2016 14:44:59 -0600
From: Nolan Berry <nolan.berry@RACKSPACE.COM>
To: dnsop <>
Thread-Topic: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
Date: Wed, 21 Dec 2016 20:44:59 +0000
Message-ID: <72b8eca59f50481ab700570dffe2ea3b@RACKSPACE.COM>
References: <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_72b8eca59f50481ab700570dffe2ea3bRACKSPACECOM_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Dec 2016 20:45:03 -0000


I will keep my feedback short and to the point.  We have implemented RPZ across our resolvers and it has been a fantastic tool to stop botnet C&Cs and outbound DDoS attacks.  I just wanted to say it has been an extremely valuable tool to us here at Rackspace and provide some positive feedback since this thread seems fairly negative.

Nolan Berry

Linux Systems Engineer

DNS Engineering

Rackspace Hosting

From: DNSOP <> on behalf of Viktor Dukhovni <>
Sent: Wednesday, December 21, 2016 2:01 PM
To: dnsop
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote:

> RPZ is not the ideal, but it works, and goes beyond being deployable-it is
> deployed.

I am curious to understand how RPZ zone transfers are (intended to
be) secured.  It sounds like the reason for standardizing RPZ is
to allow interoperable sharing of policies via replication of zone
data, and so an appropriate security mechanism would seem to be
desirable here to authenticate the transfer of data from the RPZ
master zone.  Is there a related specification for that?

As a (long-ago) emigre from the then Soviet Union, I am loathe to
see the IETF standardizing scalable censorship mechanisms, however
well intentioned.  Let's hope that skepticism of such "progress"
can evolve without the personal experience of having lived under
a totalitarian regime.

Once the infrastructure that RPZ makes possible is deployed at
scale, it will surely become increasingly difficult to bypass.
This proposal is a major step towards building the Great Firewall
of <your CountryName>, and should I believe be resisted.


DNSOP mailing list