Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Warren Kumari <> Sat, 31 December 2016 23:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E2621295CD for <>; Sat, 31 Dec 2016 15:32:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k3N6UGf1x-zV for <>; Sat, 31 Dec 2016 15:32:14 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 838F61295D5 for <>; Sat, 31 Dec 2016 15:32:14 -0800 (PST)
Received: by with SMTP id n21so319805200qka.3 for <>; Sat, 31 Dec 2016 15:32:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=bx/2Lo3GG0GK1QUL/exLVWFJ/blF+0v9BlrOtcojJ7s=; b=vwUB18KQAeBPnDJq2/Qb3liqOY1yuDlRATUNfhZ8QVyzcVbsagii7CvU9Urgkg1anX +9SR1cGzHvzeiUeWn4hCBRMLiNe0S0SHDr0O6OXBQAtXLwVLcvXPxLqJmqZao2pgmXQJ muMOOMhJaL2GL85Iseg/cKCgcHgl9/dBbaO6g4diHVxuFblqycgjY2LQIEEDt+Bgf9Kb VqiuGkJ7Z+MNVcxRGtcLOoA58QZLSEUCvK6efIPiHUgeWVU+uud7pNZ9wpRU8CbHCqqV O+D4wjNbfaJFLnH0DwDGCSwrDOjwYeyabQqdEILgItalaYjaFC9ApR2pgDxVNZ5osMfS l9rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=bx/2Lo3GG0GK1QUL/exLVWFJ/blF+0v9BlrOtcojJ7s=; b=NtZ2UsHUjLoVqrAkgXvuNPUasMiH/8FWv57d9eRHRh7u7Zdoi3M6RdaOvWGrHe3hyd YZbN0EBJ3NIVsljcEV7vdMrYxj94z83m0NmRemJ1yuZcQz6JDnfeYWjNRapPOxVNQv5c yP9VnvF8PaYrdRUe4vXf36l/VXGmJHfOwCbTO4++voETIaS31QdSdbZpw5CqGkk7xLRr BX+KPmHDXPexk0Oa9bs2rNeeX7Gj/VbTRg8WGwDfvimUOznJg2+vbgd6EGeOXAIYNFgq OBZ0zBr3fNINPU3+s31ynaCra16nlJBPDY0jWHl0jANIJDkxAGP9CLuMal0+6BjBV8uD ZJyQ==
X-Gm-Message-State: AIkVDXLCVield+aU8JEeMwUeMmE1ibRfrLW0PExIsv8a3Al/4c2dA/CfAB6fPbLV45T3cDai1lBu7a9ILolpqzBj
X-Received: by with SMTP id g4mr48818747qkd.2.1483227132893; Sat, 31 Dec 2016 15:32:12 -0800 (PST)
MIME-Version: 1.0
References: <> <20161229054559.31443.qmail@ary.lan> <> <>
In-Reply-To: <>
From: Warren Kumari <>
Date: Sat, 31 Dec 2016 23:32:02 +0000
Message-ID: <>
To: Ted Lemon <>, dnsop <>
Content-Type: multipart/alternative; boundary="94eb2c07639460b8e10544fcba38"
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 31 Dec 2016 23:32:16 -0000

On Sat, Dec 31, 2016 at 5:00 PM Ted Lemon <> wrote:

> On Dec 31, 2016, at 3:27 PM, Viktor Dukhovni <>
> wrote:
> why is there a need to make it easier for outside forces
> to pressure providers to use such mechanisms to exert control over
> their users rather than protect them from harm?
> There is no _way_ to make it easier for said outside forces to pressure
> providers.   They have the force of law on their side.   What we do makes
> no difference in that arena.   The arena in which it _does_ make a
> difference is protecting people from losing their homes because they got
> suckered by some malware that got into their personal records on their
> computer.

Another arena in which we have some control is how well implemented and
interoperable the feature is -- if we document RPZ properly then,
regardless of why it is being deployed, at least it will behave
deterministically across implementations.

RPZ is already implemented in nameserver software -- if the feature exists,
I'd like it to work the same wherever it gets uses, and not cause
collateral damage...

P.S / full-disclosure: I happen to use RPZ, and have for a number of years
-- I run a number of (personal) mailing lists on my own mailserver, and use
a number of RPZ feeds (e.g Spamhaus' DBL) for spam mitigation.

> IOW, the argument you are presenting has nothing to do with the choice
> that faces us.   If you want to make the case for rpz being a bad thing,
> the argument you should be making would have to show why protecting people
> in this way is the wrong solution to the problem, and why some other
> solution to the problem (e.g., a blacklist in the browser) is less bad.
> Can’t we have that conversation, instead of these repeated assertions
> about things over which we have no control?
> _______________________________________________
> DNSOP mailing list