Re: [DNSOP] draft-ietf-dnsop-dns-rpz

Ted Lemon <> Tue, 18 July 2017 12:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CADA6131948 for <>; Tue, 18 Jul 2017 05:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e-II0XJXPSeA for <>; Tue, 18 Jul 2017 05:30:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 48218131748 for <>; Tue, 18 Jul 2017 05:30:56 -0700 (PDT)
Received: by with SMTP id e199so10833282pfh.2 for <>; Tue, 18 Jul 2017 05:30:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=PRvyHTt2DBf16muBUJVBLOAwHEHZywwjiCJsX1EzDbQ=; b=tibd4x/S7JgSdjv68ouGA9gpHzRC0CliicoWSWRjFXLNOBeJ1lFj+Jq4Ev7/P4lRiy fcMDxSpXsjdFv76WGelkyn5zjVs9cb8aP/KMjJU0eQEAXMcPDUNLBnAyMth0ccPVSGLM unfm0kSTAL8suQYpfTSG1Ui/V23h5E1xL4kMeZ0YcDGvlFsPXdJzSO3Cizdu4KGJHC2z oeNhYKvVytCUweP9hpTu/U22uGpZNEgIAm9RFP/1AXOVAcU9sFW1WGduzDetEKmF44vk tPiH4H8tqFAhVZgeR63v23JJfLPQystm6rasrVG8N5LkUih6wPBiPnIwF3N6+2cWNNmy FQoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=PRvyHTt2DBf16muBUJVBLOAwHEHZywwjiCJsX1EzDbQ=; b=obUfo+th3Tvc+E7yspmfualpFQzR+BqEN4H6ELh0dNCTSzsBprmncrt9EBbaIvy3EJ C+xggQ4ifYzHLV0P395fpiW4XXH7xZYzi3+iXtAYUfQP1qWMIPY1BUj0wsyHiGVr4W7e s0FrjE1SO84A5mm8y9qt+3xeLE2jtfXjRQR5YZGSwwcg6Y2OAP+d35HxHqSSPUbc1718 mbZPQDIZ4LWmGS5ZGOFSoRar8t4dNCrmGPgR9FppuwfDrVPuO3npjmvtSIxgMPaXepvD WmolU2TfKYq+u8Nk8mY5RSxzHkeiRQQn7I65RXVHws2D/lNQFn9XZ1fQAY6KGphxtYKI 7kXw==
X-Gm-Message-State: AIVw1122BNaFyF9c5nWslWye1dNC3RSXsxEycEjbXG8x5YhELHKkq1Y4 +yX58GxEbMCNSaJibowqfMziPhRbrD2h
X-Received: by with SMTP id f16mr1483983plk.131.1500381055682; Tue, 18 Jul 2017 05:30:55 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 18 Jul 2017 05:30:15 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Ted Lemon <>
Date: Tue, 18 Jul 2017 14:30:15 +0200
Message-ID: <>
To: dnsop WG <>
Content-Type: multipart/alternative; boundary="f40304360182da2092055496af8a"
Archived-At: <>
Subject: Re: [DNSOP] draft-ietf-dnsop-dns-rpz
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Jul 2017 12:30:59 -0000

If the working group doesn't get to work on it, it seems more appropriate
to publish it as an ISE document.   This is what has been done in similar
cases in the past.

On Tue, Jul 18, 2017 at 2:13 PM, Suzanne Woolf <>

> Dear colleagues,
> As you might recall, we had a call for adoption for draft-vixie-dns-rpz
> just before IETF 98 in March. We had a lively discussion and decided to
> adopt the document for further work in the WG as an Informational RFC.
> However, the chairs then discovered we’d made a mistake in adopting the
> draft with the copyright that reserved rights in derivative works to the
> original authors. This isn’t allowed for a Working Group document (see
> RFC5378, Section 3.3).
> We’ve talked since then with the authors about how we might move forward
> with the draft. They had concerns, which had already been discussed on the
> list, about some of the views of the WG on the applicability of RPZ.
> We believe we’ve found a way forward that meets their concerns and the
> needs of the WG. We propose that:
> 1. The draft adopts the following language in the Introduction:
> This document describes an existing and widely deployed method by which a
> security policy can be applied to DNS responses, possibly causing an end
> system to receive responses that do not correspond to actual DNS zone
> content. Such policy-based responses might prevent access to selected HTTP
> servers, or redirect users to "walled gardens", or block objectionable
> email, or otherwise defend against DNS content deemed malicious by the RDNS
> operator and the end-user.
> This method describes its policy using a specially formatted DNS Zone
> called a Response Policy Zone (RPZ), and is an instance of a more general
> mechanism called a "DNS Firewall." Like other mechanisms called
> "firewalls," response policy zones (RPZ) can be used to block both wanted
> as well as unwanted data.  RPZ ought not be used to interfere with data
> desired by recipients. In other words, RPZ should be deployed only with the
> permission of every affected RDNS end-users.
> This document does not recommend the use of RPZ in any particular
> situation or instead of other mechanisms including those more commonly
> called "firewalls."  This document lacks an applicability statement for
> that reason, and because it merely describes a currently common practice,
> without recommending or criticising that practice. By design and
> expectation, response policy zones (RPZ) must be seen as a defensive and
> virtuous tool, or it will either not be used, or will be bypassed by
> end-users.
> 2. We had already limited the the scope of the document to describing the
> current protocol, with any discussion of proposed changes left to a later
> document if people want to do that work. That limitation stands. The
> intended document status is Informational.
> 3. The copyright is changed to the standard boilerplate required for a WG
> draft.
> If this is acceptable to the WG, we’ll keep the new draft with these
> changes as a WG draft.
> If not, the draft will be dropped as a WG item. The authors can seek
> publication of the document as an independent submission or outside of the
> RFC series.
> If you have a comment on this, please make it succinctly and soon.
> thanks,
> Suzanne & TIm
> _______________________________________________
> DNSOP mailing list