Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

joel jaeggli <joelja@bogus.com> Fri, 30 December 2016 02:29 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6877129A4C for <dnsop@ietfa.amsl.com>; Thu, 29 Dec 2016 18:29:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10
X-Spam-Level:
X-Spam-Status: No, score=-10 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXg4Wou3onP4 for <dnsop@ietfa.amsl.com>; Thu, 29 Dec 2016 18:29:55 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67890129A37 for <dnsop@ietf.org>; Thu, 29 Dec 2016 18:29:55 -0800 (PST)
Received: from mb-3.local (c-73-96-132-59.hsd1.or.comcast.net [73.96.132.59]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id uBU2TrjS039660 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 30 Dec 2016 02:29:53 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host c-73-96-132-59.hsd1.or.comcast.net [73.96.132.59] claimed to be mb-3.local
To: william manning <chinese.apricot@gmail.com>, Vernon Schryver <vjs@rhyolite.com>
References: <kHKKXtEjTQZYFAGI@highwayman.com> <201612291815.uBTIFdW4015802@calcite.rhyolite.com> <CACfw2hi4Yu87CEfAaDLT0GuzQ8_nEF8hAnfXsPa4NmixB35cAA@mail.gmail.com>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <c22dbbb7-2075-3743-c53f-70ee8ce0f42a@bogus.com>
Date: Thu, 29 Dec 2016 18:30:06 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Thunderbird/50.0
MIME-Version: 1.0
In-Reply-To: <CACfw2hi4Yu87CEfAaDLT0GuzQ8_nEF8hAnfXsPa4NmixB35cAA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="i4wbxLcFO53Hk5NB1evUxLoRMxF065P3k"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hsK1wgZs1OcybM3DUWo5MJCmu3E>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 02:29:57 -0000

On 12/29/16 1:51 PM, william manning wrote:
> "lets standardize this 'cause everyone does it"  sounds like the medical
> community should have standardized on whiskey & leaches & coat hangers
> because thats what everyone did.  if this work does proceed, i'd like to
> insist that it carry a disclaimer that it is designed specifically for
> closed networks and is not to be used in the Internet.

this sounds like an aplicability statement to be included in the
introduction.

> Indeed, thedraft is very clear this is for enclaves and not for open
> Internet use.
> 
> 
> /Wm
> 
> On Thu, Dec 29, 2016 at 10:15 AM, Vernon Schryver <vjs@rhyolite.com
> <mailto:vjs@rhyolite.com>> wrote:
> 
>     > From: Richard Clayton <richard@highwayman.com
>     <mailto:richard@highwayman.com>>
> 
>     > Everyone involved understands that there isn't at present a turnkey
>     > application that the other 5% (and indeed all the in-house corporate
>     > systems) could deploy....
> 
>     I do not understand that.
>     If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
>     shell or Windows command prompt on your desktop says anything about
>     BIND, then chances are good that you are already using one of the
>     turnkey applications that in-house corporate systems and others have
>     already deployed and could configure.  Even if there is no sign of
>     BIND9 from that `nslookup` command, the odds are good that the recursive
>     server you use has an RPZ taint or will have within months.
> 
> 
>     > So although deploying RPZ does a reasonable job of papering over the
>     > cracks in our response to cybercrime I think that on balance it's too
>     > dangerous a tool for the IETF to wish to bless in any way -- it's poor
>     > social hygiene to standardise these types of tools.
> 
>     While I understand how a reasonable person can hold that position,
>     I think the papered cracks are not only less bad, but the best that
>     can be hoped for in the real world.
> 
> 
>     > I also note from reading the draft that this blessing will freeze in
>     > some rather ugly design (with the authors arguing that the installed
>     > base cannot adjust to something cleaner).
> 
>     That is not the intended meaning of the draft.  Instead it tried to
>     acknowledge the extreme difficulty of changing an installed base.
>     Words that convey that intended meaning would be appreciated.
> 
> 
>     Vernon Schryver    vjs@rhyolite.com <mailto:vjs@rhyolite.com>
> 
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop
>     <https://www.ietf.org/mailman/listinfo/dnsop>
> 
> 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>