Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Philip Homburg <> Mon, 09 January 2017 19:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C427129588 for <>; Mon, 9 Jan 2017 11:53:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FBvFnamWussp for <>; Mon, 9 Jan 2017 11:53:39 -0800 (PST)
Received: from ( [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) by (Postfix) with ESMTP id E6C9C129575 for <>; Mon, 9 Jan 2017 11:53:38 -0800 (PST)
Received: from ([::ffff:]) by with esmtp (Smail #127) id m1cQg0e-0000CcC; Mon, 9 Jan 2017 20:53:36 +0100
Message-Id: <>
From: Philip Homburg <>
References: <> <20161229163826.34758.qmail@ary.lan> <> <> <> <> <>
In-reply-to: Your message of "Mon, 9 Jan 2017 10:14:27 -0500 (EST) ." <>
Date: Mon, 09 Jan 2017 20:53:30 +0100
Archived-At: <>
Cc: Paul Wouters <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jan 2017 19:53:41 -0000

>See the recent discovery that Heathrow Airport runs a
>MITM TLS server on Do we want them to run RPZ where they
>can disappear alltogether? No. Do we want them to run RPZ
>to prevent travelers from getting malware installed? Yes.

Just my crystal ball:
1) If the traver's laptop/phone uses Heathrow Airport resolvers then Heathrow
   Airport can mount a denial of service on DNS. So it does not matter if the
   malware zone is signed or not. If Heathrow Airport modifies the reply the
   traveler will be protected.
2) It makes sense to do local validation with something like getdns. If such a
   local validating resolver notices that DNSSEC validation fails ("Roadblock
   Avoidance") it may contact auth. DNS servers directly.
3) Heathrow Airport can move to deep packet inspection and also block
   direct access to malware DNS.
4) DNS is not really private so Google may offer their DNS services over HTTPS.
5) Governments may force Google to block popular sites, so users switch to
   other DNS resolvers, again over HTTPS.

After step 5, any benign malware filtering options are probably lost.

In that sense I don't care that much about the more philosophical arguments
arguments against rpz. If you care about DNS, run a local DNSSEC validating
resolver that does roadblock avoidance and possibly falls back to 
TLS or HTTPS to some trusted resolver.