Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Vernon Schryver <> Thu, 29 December 2016 18:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1AE9D129881 for <>; Thu, 29 Dec 2016 10:15:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DKrI3WxmDMUd for <>; Thu, 29 Dec 2016 10:15:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1BC09129879 for <>; Thu, 29 Dec 2016 10:15:58 -0800 (PST)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTPS id uBTIFeaE015803 ( version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <> env-from <>; Thu, 29 Dec 2016 18:15:40 GMT
Received: (from vjs@localhost) by (8.15.2/8.15.2/Submit) id uBTIFdW4015802 for; Thu, 29 Dec 2016 18:15:39 GMT
Date: Thu, 29 Dec 2016 18:15:39 +0000
From: Vernon Schryver <>
Message-Id: <>
In-Reply-To: <>
X-DCC-Rhyolite-Metrics:; whitelist
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Dec 2016 18:15:59 -0000

> From: Richard Clayton <>

> Everyone involved understands that there isn't at present a turnkey
> application that the other 5% (and indeed all the in-house corporate
> systems) could deploy....

I do not understand that.
If the command `nslookup -q=txt -class=CHAOS version.bind` to a UNIX
shell or Windows command prompt on your desktop says anything about
BIND, then chances are good that you are already using one of the
turnkey applications that in-house corporate systems and others have
already deployed and could configure.  Even if there is no sign of
BIND9 from that `nslookup` command, the odds are good that the recursive
server you use has an RPZ taint or will have within months.

> So although deploying RPZ does a reasonable job of papering over the
> cracks in our response to cybercrime I think that on balance it's too
> dangerous a tool for the IETF to wish to bless in any way -- it's poor
> social hygiene to standardise these types of tools.

While I understand how a reasonable person can hold that position,
I think the papered cracks are not only less bad, but the best that
can be hoped for in the real world.

> I also note from reading the draft that this blessing will freeze in
> some rather ugly design (with the authors arguing that the installed
> base cannot adjust to something cleaner). 

That is not the intended meaning of the draft.  Instead it tried to
acknowledge the extreme difficulty of changing an installed base.
Words that convey that intended meaning would be appreciated.

Vernon Schryver