Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Vernon Schryver <> Mon, 09 January 2017 23:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0F40512999B for <>; Mon, 9 Jan 2017 15:38:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FnELqLB0DFhA for <>; Mon, 9 Jan 2017 15:38:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6D37D129999 for <>; Mon, 9 Jan 2017 15:38:31 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id v09NcFNp059807 ( version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <> env-from <>; Mon, 9 Jan 2017 23:38:16 GMT
Received: (from vjs@localhost) by (8.15.2/8.15.2/Submit) id v09NcEqm059806 for; Mon, 9 Jan 2017 23:38:14 GMT
Date: Mon, 09 Jan 2017 23:38:14 +0000
From: Vernon Schryver <>
Message-Id: <>
In-Reply-To: <>
X-DCC-Rhyolite-Metrics:; whitelist
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jan 2017 23:38:33 -0000

> From: Philip Homburg <>

> 1) If the traver's laptop/phone uses Heathrow Airport resolvers then Heathrow

>4) DNS is not really private so Google may offer their DNS services over HTTPS
> 5) Governments may force Google to block popular sites, so users switch to
>    other DNS resolvers, again over HTTPS.

but I don't know how clients bootstrap that API without classic DNS.

Regardless of that, what if Heathrow Airport deploys HTTPS proxies to
block child porn, drug, terrorist, and malware web pages as well as
attempts by corrupted laptops and smart phones to bypass blocks on
port 53 and reach evil or merely unfiltered DNS/HTTPS servers including
those run by Google?

> In that sense I don't care that much about the more philosophical arguments
> arguments against rpz. If you care about DNS, run a local DNSSEC validating
> resolver that does roadblock avoidance and possibly falls back to 
> TLS or HTTPS to some trusted resolver.

Everyone should do that, if necessary without knowing they're doing
it, such as with the help of validating resolver code in broswers.
Something like that is required to stop the fraud that is commercial PKI.
(Google's two alternatives to DANE are great for the Alexa 500 and
maybe the Alexa 5000, but useless or worse for the Alexa 100,000,000.)


] From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <>

] But I think the document itself is very useful, so it would be nice if
] it's made more publicly available in other form, e.g., some
] white-paper kind or at a popular blog site.

That will happen whether or not the text gets an RFC number.  (If it
doesn't get a number, of course I will remove the IETF mumbo-jumbo.)
The current de facto standard status of RPZ suggests finding sufficient
popular web sites for publication is not an issue.

Disclaimer: Many people including the other author want the draft to
get an RFC number.  But my considered reaction the threats to not
publish, the demands to not publish without what I see as ill conceived
or worse fixes, and various other sentiments is more like
"Please don't throw me in the briar patch."

]                                 its not just ugly 

Yes, RPZ is a nasty, ugly, evil kludge that would not exist if I were
in charge of the Internet.

]                                                   but also has some
]   inherent flaws, such as that not all domain names can be represented
]   due to length limitation.

Yes, but do you know of a real life example cannot be rewritten because
the RPZ trigger name would be too long?

]                              In fact, not all existing implementations
]   of RPZ-like feature use this form as the primary way of rule
]   configuration (unbound is one example I happen to know of, and from
]   a quick look knot resolver also seems to adopt its own configuration
]   syntax).

Distributed blacklisting is one of or the most powerful aspect of RPZ.
I think (perhaps mistakenly) that the new blocking mechanism in
Unbound 1.6.0 lacks that aspect.

In addition, there is an RPZ patch for Unbound versions 1.5.4 through
1.6.0 that uses a separate daemon that acts like a slave master for
policy zones using AXFR/IXFR/NOTIFY.  However, I stopped maintaining
and deleted the patches for version 1.5.4 through 1.5.8 long ago.
Another caveat is that the work was for hire and so the daemon and its
interface .so are not open.  The patches to Unbound are open and have
been offered to NLnet Labs.

Vernon Schryver