Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Scott Schmit <i.grok@comcast.net> Thu, 29 December 2016 16:06 UTC

Return-Path: <i.grok@comcast.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A9C12947B for <dnsop@ietfa.amsl.com>; Thu, 29 Dec 2016 08:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VB70oIN1l4_e for <dnsop@ietfa.amsl.com>; Thu, 29 Dec 2016 08:06:17 -0800 (PST)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B78D129451 for <dnsop@ietf.org>; Thu, 29 Dec 2016 08:06:17 -0800 (PST)
Received: from resomta-ch2-16v.sys.comcast.net ([69.252.207.112]) by resqmta-ch2-09v.sys.comcast.net with SMTP id MdDcciO6juazMMdDccURTM; Thu, 29 Dec 2016 16:06:16 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1483027576; bh=xPGbc1wEJmbZv4V+Ci7bjz2n57Gr6ue4Ld862L0b0xo=; h=Received:Received:Received:Received:Date:From:To:Subject: Message-ID:MIME-Version:Content-Type; b=k4nBrb0RAX8n3brZnRQKwu28+FjY2GCh1/9/pCmUB7yzkWRIgoTNl0itFgObx06Yq JiOW//UH2LEZvpQEBz/CH8SLZokpAXF4bO3yZd6c8lDj+o7t0HMAxEbqQtZmlEYNZv vSWpCzBAilRww+VCBAEW4LPbZHTqWxN70h/9MgBIKk8dzDbedIzCHvCYfuHmt7N3r6 GihCbPGxTlqymSHX6vO1qGDbQChSlokf/sI97cGGq4OL7oJ6bPCYsTP7tjDlh1j+Sj PsDR0uWFbbfE7HXDxbSz1iv+mgDUXYbixT1rHJvkdZi7SORvqMulyGsR27LzzlSm/X pA1BtJsfBe9sA==
Received: from odin.ULTHAR.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by resomta-ch2-16v.sys.comcast.net with SMTP id MdDRcZNQ2R8oyMdDVcDmJQ; Thu, 29 Dec 2016 16:06:14 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ULTHAR.us (8.15.2/8.14.5) with ESMTP id uBTG64TK013160 for <dnsop@ietf.org>; Thu, 29 Dec 2016 11:06:04 -0500
Received: (from draco@localhost) by odin.ulthar.us (8.15.2/8.15.2/Submit) id uBTG63uP013158 for dnsop@ietf.org; Thu, 29 Dec 2016 11:06:03 -0500
Date: Thu, 29 Dec 2016 11:06:03 -0500
From: Scott Schmit <i.grok@comcast.net>
To: dnsop@ietf.org
Message-ID: <20161229160603.GA10627@odin.ULTHAR.us>
References: <20161229040637.GA26031@odin.ulthar.us> <20161229054559.31443.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20161229054559.31443.qmail@ary.lan>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-CMAE-Envelope: MS4wfH5PjA6Wf9xlhCoK1R6suvqmO42XO7p/aE+2oKaOK+XbGbTedwhHZlPGGt3ZBNjHrrbqUIU423Tyk5N7hkb0sQcR2Qxx/NIxWprUhWdyvGUoS8zgrzJQ CvNb27kwU14YYDHwM2BWjYCK4JEyAHs2UNQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IfEDHl1tF15xvCZOba7paDVMKds>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 16:06:18 -0000

On Thu, Dec 29, 2016 at 05:45:59AM -0000, John Levine wrote:
> >I'm seeing how it really helps governments cheaply create and enforce
> >the creation of national internets -- especially with the walled garden
> >features.  Are those the good guys to you, or are there other benefits?
> 
> Please see the previous gazillion messages from people who are using
> RPZ in production to keep malware away from their users.
> 
> Also see the previous gazillion messages noting that governments do
> all sorts of DNS censorship now and don't need RPZ.
> 
> Could you explain in more detail why you don't believe operators will
> continue to use RPZ to protect their users, and why you think hostile
> actors will do things with RPZ that they couldn't do now?

I was specifically asking about the redirect/record replacement
behavior, not the nxdomain/blocking behavior.

-- 
Scott Schmit