Re: [DNSOP] draft-ietf-dnsop-dns-rpz

Mukund Sivaraman <> Fri, 06 October 2017 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E1091342E2 for <>; Fri, 6 Oct 2017 07:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.664
X-Spam-Status: No, score=0.664 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b2XpFjwP3ZEw for <>; Fri, 6 Oct 2017 07:32:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 172691323B8 for <>; Fri, 6 Oct 2017 07:32:09 -0700 (PDT)
Received: from jurassic (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 034EF56A00F9; Fri, 6 Oct 2017 14:32:06 +0000 (GMT)
Date: Fri, 6 Oct 2017 20:02:03 +0530
From: Mukund Sivaraman <>
To: Petr =?utf-8?B?xaBwYcSNZWs=?= <>
Message-ID: <20171006143203.GA7941@jurassic>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.9.0 (2017-09-02)
Archived-At: <>
Subject: Re: [DNSOP] draft-ietf-dnsop-dns-rpz
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Oct 2017 14:32:11 -0000

Hi Petr

On Fri, Oct 06, 2017 at 03:56:20PM +0200, Petr Špaček wrote:
> Hello dnsop,
> draft-ietf-dnsop-dns-rpz expired on 2017-09-10, i.e. did not receive any
> update from 2017-03-09.
> Is there a real apetite for work on this document?

No answer for this question, but see below...

> We are considering RPZ implementation for Knot Resolver next year but if
> the document is not going to move forward I would rather close the
> ticket and be done with it. I certainly do commit to implementing
> ever-changing protocol without readily available description ...

I can't tell you whether to implement RPZ or not, but maybe the
following will be useful from an implementation perspective.

Whether IETF adopts it or not, RPZ is has been an existing real protocol
in operational use for several years now (with implementations and data
(zone) providers). The old RPZ specification was obsolete and this draft
is the only current spec that describes RPZ as it is used today. For
this reason at least, BIND will follow this spec whether it is a dnsop
adopted document or is maintained outside IETF. If for some reason the
co-authors abandon it (highly unlikely as they seem to have a business
case for it), we at ISC will likely pick it up as it is a BIND feature.
(We were going to do so about 1-1.5 years ago when we found that the old
draft was outdated, and contacted Vixie about it.)

It follows that if you want to support the RPZ zone syntax that is used
in feeds provided by several vendors, this draft is the only current and
correct spec as of now.

No comment about whether dnsop should adopt it or about the
philosophical side.