Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Ted Lemon <> Wed, 21 December 2016 17:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C6DD01297A8 for <>; Wed, 21 Dec 2016 09:29:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EJTa2ajxoHLF for <>; Wed, 21 Dec 2016 09:29:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 417BB129438 for <>; Wed, 21 Dec 2016 09:29:33 -0800 (PST)
Received: by with SMTP id n21so83302974qka.3 for <>; Wed, 21 Dec 2016 09:29:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8/k9b98hwoV7kTkcg1eQk/okSC/cm8PvWzsQQOrNALE=; b=O88d6BaRcYqQ8rjmJgPzboczkJSU7R481pKyzSBbpuHrZDl314fen/jOweZ+aP7KPV Pq3tqvJwhxig1zDsO6t+qd2jdt7KQ/O5w7piPjGD2QEJqZNcEKYzZlOFXdc5d3XYdDKD Yr9WVP34hoM5cplDvZe1gD066gijRBER37r3hGh4/0E58ml8DVoYapLDlDf1kCetyLlh KUb3wASe1aWmVDp/ZTDMyZZApbMY99rPJuuBIF0X222nlsPttzRDYbmtSRyFhl9UYz3a Lke0cUou7uBKgCnWFV0xpn1Y6++HyU21hFmUI36y49vNVbM330cGUxTjFpQnyb0Sj6g4 Ojew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8/k9b98hwoV7kTkcg1eQk/okSC/cm8PvWzsQQOrNALE=; b=owzUTyh9PFZ8hTdVVqGWTIGvRwb0UlaaS1oDefJGLuwotIdJJrsVyRPmPynnvwvgQE nTa7VBguW5VjaALXh+cH2FhUZ8OcSzyTqN/l+FzHZcnxPGsIscct7kAvRDVf+BS/3E7b UNvHlyun5Wd+NMGxxSOYlcMyF6VVIFaJvhBz5JTL1d+yEY4Sk7XFPGuZcW4sP7ePHHgW OaomXnNIiDkwnpMRcAVCKlKrcer88RQT8C2uaPmrdBc7mzYbMiHwcqTPsFM3IUgYT8Xi lezX1LUzhH0z59/bId8LoBSzQlknBj5NkD/c8UN5Tpon9pNExi4Xveal5dYMC0GtlX5M 5Cug==
X-Gm-Message-State: AIkVDXJSka+AizSy4bCUEG81Vmqja+cnMh4OerE383UFqc/FLansWl8zVXtsIWj7vgLQlw==
X-Received: by with SMTP id r62mr6519534qkc.21.1482341372173; Wed, 21 Dec 2016 09:29:32 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id 16sm15934288qtt.38.2016. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Dec 2016 09:29:31 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Wed, 21 Dec 2016 12:29:29 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Matthew Pounsett <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Cc: dnsop <>, Paul Wouters <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Dec 2016 17:29:35 -0000

Practically speaking, none of these changes are _required_.   The worse case scenario is that if someone looks up a malicious domain, you get back a bogus answer that doesn’t validate.   The resolver reports "no answer" because an answer that doesn’t validate is no answer.   The user sees that the page fails to load.   There is little they can do to bypass this, and they aren’t likely to have a sense of how to do it, so our job is pretty much done.

It would be _nice_ if the browser, for example, could get some kind of positive, signed assertion that some authority has claimed that the domain in question is malicious (or whatever).   This would be good mostly for the purpose of transparency, so it’s not clear that it makes any difference if it’s communicated to the user: people who care about transparency will be able to look it up, and, in particular, people who are interested in watching for censorship will have no problem at all noticing that it is happening.