Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

"John Levine" <johnl@taugh.com> Wed, 21 December 2016 00:03 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E74E129694 for <dnsop@ietfa.amsl.com>; Tue, 20 Dec 2016 16:03:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U97TxmExYila for <dnsop@ietfa.amsl.com>; Tue, 20 Dec 2016 16:03:00 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66678129401 for <dnsop@ietf.org>; Tue, 20 Dec 2016 16:03:00 -0800 (PST)
Received: (qmail 49712 invoked from network); 21 Dec 2016 00:03:05 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 21 Dec 2016 00:03:05 -0000
Date: Wed, 21 Dec 2016 00:02:37 -0000
Message-ID: <20161221000237.24158.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <20161220061242.GC63084@isc.org>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iRbt3GiKJ5q2-Q0TtozK1CRMSeE>
Cc: each@isc.org
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 00:03:01 -0000

>"Not wanting to be recruited into a botnet" is another such consideration.
>Paul and Vernon invented a useful tool to help address it, and I'm
>in favor of documenting it.

I would really prefer that the IETF not embarrass itself with a rerun
of the NAT fiasco, in which TCP/IP purists yelled and screamed and
insisted that NAT was evil, while in the real world it solved (still
solves) real problems, and everyone implemented it in various not very
transparent or compatible ways.

RPZ is ugly but it solves serious real world problems, and it's going
to be used all over the world regardless of what we do.  Just this
week I heard from a friend at a largish company that one of their
suppliers got hacked with the trendy new malware that hides in web
page images.  Without RPZ, approximately all of their Windows users
would have been infected, with RPZ none of them were.

If we want to offer advice and perhaps technical twiddles on how to
deploy RPZ to minimize surprises and make it easy to find and fix
mistakes, that would be swell.  Insisting that it's stupid and wrong
confirms the not ill-founded impression that dnsop is out of touch
with the real world.

So, yes, we should adopt this draft.

R's,
John