> Ted Lemon <mailto:[email protected]> > Sunday, January 25, 2015 12:30 PM > >> Paul Vixie <mailto:[email protected]> >> Sunday, January 25, 2015 12:15 PM >> >> >>> Hugo Maxwell Connery <mailto:[email protected]> >>> Sunday, January 25, 2015 5:32 AM >>> Hi, >>> >>> Below I show a trivial amount of work for compliance with >>> draft-grothoff-iesg-special-use-p2p-names by caching >>> recursive resolvers which have implemented Response >>> Policy Zones (i.e BIND and numerous others). >> >> sadly, i remain unaware of any non-BIND implementation of RPZ. if >> there are any, please tell us, so that we can update the >> <https://dnsrpz.info/> web site. > > Nominum offers a similar feature in our caching nameservers, unless I > am missing something.
the difference is, RPZ is an open and common policy language for RDNS, and is not vendor-specific. it's possible for any security policy feed producer to generate threat intelligence in the RPZ format, and make it available to any RDNS operator whose name server understands RPZ. nominum has been doing policy feeds in its recursive name service product for many years, but the format is not open, and it's not meant to be a generic publish-subscribe method for any RDNS operator (whether or not they are a nominum customer) to subscribe and for any security policy feed producer (whether or not they are a nominum partner) to publish. beyond that, there may be more or fewer features in the nominum caching name server than are described by RPZ. i don't know the details of the nominum product, and i have not seen any side-by-side comparison. i would very much like to see nominum customers gain the ability to subscribe to RPZ feeds. but i'm going to work primarily with the open source DNS providers first, since a vibrant ecosystem would be my best argument for adoption. TL;DR: nominum has had similar functionality to RPZ in their proprietary caching name server, for many years longer than RPZ has existed, but nominum's goal was apparently not an open multi-vendor policy marketplace, therefore RPZ has a place in the world, even though coming very late from nominum's perspective. -- Paul Vixie
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
