Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
"Ralf Weber" <dns@fl1ger.de> Mon, 19 December 2016 10:05 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2119129442 for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 02:05:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymuR3P9Uu7q1 for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 02:05:48 -0800 (PST)
Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 6B62312940A for <dnsop@ietf.org>; Mon, 19 Dec 2016 02:05:48 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id 83DCE5F404CB; Mon, 19 Dec 2016 11:05:47 +0100 (CET)
Received: from [192.168.2.152] (p57B9F73C.dip0.t-ipconnect.de [87.185.247.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 5208E5F4014B; Mon, 19 Dec 2016 11:05:46 +0100 (CET)
From: Ralf Weber <dns@fl1ger.de>
To: ac <ac@main.me>
Date: Mon, 19 Dec 2016 11:05:45 +0100
Message-ID: <7811D7ED-6638-490D-9608-72D8D7230ACD@fl1ger.de>
In-Reply-To: <20161219072930.8E646129530@ietfa.amsl.com>
References: <20161218224231.GB16301@odin.ulthar.us> <em8c69a376-3e56-437d-8fe4-d70af6aa0e63@bodybag> <20161219050559.6F643129497@ietfa.amsl.com> <5CAA0C17-B3F6-4518-90EC-9B0C59D75194@fl1ger.de> <20161219072930.8E646129530@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5318)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ldr9XieowW_XyClNbOUOdU6Mk5I>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 10:05:50 -0000
Moin! On 19 Dec 2016, at 8:28, ac wrote: > On Mon, 19 Dec 2016 07:53:42 +0100 > "Ralf Weber" <dns@fl1ger.de> wrote: >> So if this is the IP of a phishing site or the IP of an command and >> control host that tells its bot to execute criminal action you still >> valid the accuracy of the answer higher then possible damage this >> could do to your user? >> > yes. > > In your example, ethically, it is a problem that should be addressed > on IP, not on DNS So you are arguing for DPI inspection of all packets? That would be not what I want, but if you think this is more ethical go ahead. >> Sure this technology can be used to bad things, but that is true >> for a lot of other technologies also. It's the use that makes them >> bad and not the technology itself. >> > > this is exactly the same argument the authors of other software uses > and also argues for the use of DNS as a firewall, etc. Yes and I work for a company that produces such software, so what? > and you are of course correct: you are free to develop malware, write > virus and do anything your heart > desires. It is your DNS servers, you may do anything you like and > answer anything you want. Well I don't run DNS servers these days, but that's what I did when I ran them some time ago and I prevented a lot of bad activity on the network by doing so. > but, to publish protocols and request comments on how to operate a > botnet or do whatever you wish to do that is not ethical, is crossing > a line. Sorry you lost me there. This draft is describing a mechanism how to block/redirect stuff in DNS. I don't see how you could run a botnet with it and I know some stuff on bonnets that use DNS. This draft just uses a DNS zone file format to achieve this blocking/ redirection. While this may not be the best way to encode policy, it seems to be the one lots of DNS people can agree on. > I assume you are saying that it is okay to lie, cheat (and steal?) if > the reason you are doing it is well intended? - Please correct me if I > am wrong? I never said such a thing and while I know it is common these days to accuse people with different opinions as liars or non ethical it is just that a different opinion. And while I usually hate metaphors let's try one here. Say if I work on an information counter and you ask me how to get to a part of town where you are likely to get robbed or shot, should I just tell you the way or is it more ethical to warn you. > I am saying that it is never okay to lie, steal, cheat, deceive, etc. > > maybe we can talk about that? Ethics? - Do DNS admins have other > ethics > than those of normal people? Are DNS admins special? may they decide > to > be the Internet Executioners and is it okay for DNS Admins to lie, > cheat or steal? A lot of people I trust and respect work in that area and run DNS resolvers that block/redirect DNS for various reasons: services (yes there are DNS services where the users request to be redirected), trojan/malware protection, court orders, etc. Calling them non ethical IMHO is an insult. Humans are not black (0) and white (1), the come in more shades and colours. Other than that +1 to what Evan said (slightly modified): "I hereby, with full knowledge and prior consent, give my resolver (which I own) *permission* to falsely tell my browser (which I also own) that malware domains don't exist. The ethical conundrum having been resolved, we can now carry on with documenting the mechanism some resolvers use." So long -Ralf
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad