Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 21 December 2016 20:46 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CD9129969 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 12:46:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10
X-Spam-Level:
X-Spam-Status: No, score=-10 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAuCaAu5l8Cc for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 12:46:40 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1DAA129965 for <dnsop@ietf.org>; Wed, 21 Dec 2016 12:46:21 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 747B728010E; Wed, 21 Dec 2016 21:46:20 +0100 (CET)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id 6F1D128010A; Wed, 21 Dec 2016 21:46:20 +0100 (CET)
Received: from b12.nic.fr (unknown [192.134.7.106]) by relay2.nic.fr (Postfix) with ESMTP id 6D030B38003; Wed, 21 Dec 2016 21:45:50 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 6A1563FD7F; Wed, 21 Dec 2016 21:45:50 +0100 (CET)
Date: Wed, 21 Dec 2016 21:45:50 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: tjw ietf <tjw.ietf@gmail.com>
Message-ID: <20161221204550.wv6vz77euvx6sjpm@nic.fr>
References: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.7.0-1-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20161126 (1.7.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kAF6SnpQ582COIya7L1ytMGVVak>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 20:46:42 -0000

On Tue, Dec 20, 2016 at 10:16:58AM -0500,
 tjw ietf <tjw.ietf@gmail.com> wrote 
 a message of 79 lines which said:

> The draft is being present as "Informational", and the point here is to
> document current working behavior in the DNS (for the past several years).
...
> This starts a Call for Adoption for draft-vixie-dns-rpz

Because there is a huge risk of misuse of this technique (for
censorship), and because the current draft has no warning about these
risks, I disagree with adoption by the WG. I know that adoption does
not mean that the document is perfect, and that warnings about the
risks could always be added during the WG work on the document but it
is too important to rely on possible future changes. I don't want this
document to be adopted before there are clear explanations of the
risks and consequences. The work we do at the IETF has consequences
(if not, we should shut down the working group and go fishing or
gardening.) We need to consider these consequences, not to wash our
hands saying "we just describe a technique, we are not responsible for
its use". [Speaking of this responsability, the draft
draft-irtf-hrpc-research is in Research Group Last Call in the HRPC
research group. Reviewe welcome.]

Regarding the "people are doing it anyway, better to publish a RFC
than to have proprietary variants" argument, I think we should also
consider the strategical risks for the DNS: lying resolvers train
people to distrust the DNS, to move to alternative systems which have
their own dangers and are not always well-designed.