Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

["Ralf Weber" <dns@fl1ger.de>]

Moin!

On 19 Dec 2016, at 8:28, ac wrote:
> On Mon, 19 Dec 2016 07:53:42 +0100
> "Ralf Weber" <dns@fl1ger.de> wrote:
>> So if this is the IP of a phishing site or the IP of an command and
>> control host that tells its bot to execute criminal action you still
>> valid the accuracy of the answer higher then possible damage this
>> could do to your user?
>>
> yes.
>
> In your example, ethically, it is a problem that should be addressed 
> on IP, not on DNS
So you are arguing for DPI inspection of all packets? That would be not
what I want, but if you think this is more ethical go ahead.

>> Sure this technology can be used to bad things, but that is true
>> for a lot of other technologies also. It's the use that makes them
>> bad and not the technology itself.
>>
>
> this is exactly the same argument the authors of other software uses
> and also argues for the use of DNS as a firewall, etc.
Yes and I work for a company that produces such software, so what?

> and you are of course correct: you are free to develop malware, write 
> virus and do anything your heart
> desires. It is your DNS servers, you may do anything you like and
> answer anything you want.
Well I don't run DNS servers these days, but that's what I did when I
ran them some time ago and I prevented a lot of bad activity on the
network by doing so.

> but, to publish protocols and request comments on how to operate a
> botnet or do whatever you wish to do that is not ethical, is crossing 
> a line.
Sorry you lost me there. This draft is describing a mechanism how to
block/redirect stuff in DNS. I don't see how you could run a botnet
with it and I know some stuff on bonnets that use DNS.

This draft just uses a DNS zone file format to achieve this blocking/
redirection. While this may not be the best way to encode policy, it
seems to be the one lots of DNS people can agree on.

> I assume you are saying that it is okay to lie, cheat (and steal?) if
> the reason you are doing it is well intended? - Please correct me if I
> am wrong?
I never said such a thing and while I know it is common these days to
accuse people with different opinions as liars or non ethical it is just
that a different opinion. And while I usually hate metaphors let's try
one here. Say if I work on an information counter and you ask me how
to get to a part of town where you are likely to get robbed or shot,
should I just tell you the way or is it more ethical to warn you.

> I am saying that it is never okay to lie, steal, cheat, deceive, etc.
>
> maybe we can talk about that? Ethics? - Do DNS admins have other 
> ethics
> than those of normal people? Are DNS admins special? may they decide 
> to
> be the Internet Executioners and is it okay for DNS Admins to lie, 
> cheat or steal?
A lot of people I trust and respect work in that area and run DNS
resolvers that block/redirect DNS for various reasons: services (yes
there are DNS services where the users request to be redirected),
trojan/malware protection, court orders, etc. Calling them non
ethical IMHO is an insult. Humans are not black (0) and white (1),
the come in more shades and colours.

Other than that +1 to what Evan said (slightly modified):

"I hereby, with full knowledge and prior consent, give my resolver 
(which
I own) *permission* to falsely tell my browser (which I also own) that
malware domains don't exist.

The ethical conundrum having been resolved, we can now carry on with
documenting the mechanism some resolvers use."

So long
-Ralf