IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 21 December 2016 21:19 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE7D11299A0 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 13:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10
X-Spam-Level:
X-Spam-Status: No, score=-10 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY1X80QjGZT1 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 13:19:49 -0800 (PST)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4962129611 for <dnsop@ietf.org>; Wed, 21 Dec 2016 13:19:49 -0800 (PST)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 246D228010E; Wed, 21 Dec 2016 22:19:48 +0100 (CET)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id 1EC7728010A; Wed, 21 Dec 2016 22:19:48 +0100 (CET)
Received: from b12.nic.fr (unknown [192.134.7.106]) by relay2.nic.fr (Postfix) with ESMTP id 1C5E6B3800C; Wed, 21 Dec 2016 22:19:18 +0100 (CET)
Received: by b12.nic.fr (Postfix, from userid 1000) id 15F553FD7F; Wed, 21 Dec 2016 22:19:18 +0100 (CET)
Date: Wed, 21 Dec 2016 22:19:18 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: bert hubert <bert.hubert@powerdns.com>
Message-ID: <20161221211918.zpo23oxt5iduhv6y@nic.fr>
References: <20161219.101111.41661466.sthaug@nethelp.no> <20161219092509.0DBA5129452@ietfa.amsl.com> <20161219093846.GA25654@server.ds9a.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20161219093846.GA25654@server.ds9a.nl>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.7.0-1-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20161126 (1.7.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/o5mEOOJx8nDaUojZkCC7bcKYPMs>
Cc: dnsop@ietf.org, ac <ac@main.me>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 21:19:50 -0000

On Mon, Dec 19, 2016 at 10:38:46AM +0100,
 bert hubert <bert.hubert@powerdns.com> wrote 
 a message of 25 lines which said:

> By this token any firewall is censorship and lies. Yet we still use
> them.

No, blocking a communication is harsh but is not a lie. Returning HTTP
code 451 (RFC 7725) is not a lie, the HTTP server clearly says "this
is censored".

In the case of the DNS, in the absence of a rcode equivalent to 451,
modifying the answers of the authoritative name servers is a lie. But
some are more or less serious lies:

* returning SERVFAIL is a mild lie (it is close from the behaviour of
  a firewall blocking communications, and it is compatible with
  DNSSEC)

* returning a false IP address is a very serious lie. This is what
  phishers and other miscreants would like to do, while we are
  supposed to defend the integrity of the DNS.

The draft allows both, and does not warn about the severity of the
different possible lies.

v2.23.0 | Report a Bug | By Email