Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Viktor Dukhovni <> Sat, 31 December 2016 20:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 91712129598 for <>; Sat, 31 Dec 2016 12:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ux4N8G03xJWh for <>; Sat, 31 Dec 2016 12:27:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1276A1270B4 for <>; Sat, 31 Dec 2016 12:27:33 -0800 (PST)
Received: by (Postfix, from userid 1034) id 15E3F284DED; Sat, 31 Dec 2016 20:27:32 +0000 (UTC)
Date: Sat, 31 Dec 2016 20:27:32 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <20161229054559.31443.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20161229054559.31443.qmail@ary.lan>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 31 Dec 2016 20:27:34 -0000

On Thu, Dec 29, 2016 at 05:45:59AM -0000, John Levine wrote:

> >I'm seeing how it really helps governments cheaply create and enforce
> >the creation of national internets -- especially with the walled garden
> >features.  Are those the good guys to you, or are there other benefits?
> Please see the previous gazillion messages from people who are using
> RPZ in production to keep malware away from their users.
> Also see the previous gazillion messages noting that governments do
> all sorts of DNS censorship now and don't need RPZ.
> Could you explain in more detail why you don't believe operators will
> continue to use RPZ to protect their users, and why you think hostile
> actors will do things with RPZ that they couldn't do now?

If providers have been, are now, and are going to keep using
mechanisms like RPZ, for their own internal reasons, sans any
"standard", why is there a need to make it easier for outside forces
to pressure providers to use such mechanisms to exert control over
their users rather than protect them from harm?

This technology is not ethically neutral, and some care is I think
appropriate to avoid harms.  It is I think prudent to broaden the
analysis beyond "Once the rockets are up, who cares where they come
down? ..."[1]

Though the irony does not escape me; let a hundred flowers bloom...