On Sun, 18 Dec 2016 23:45:34 +0000 "Adrien de Croy" <adr...@qbik.com> wrote: > > If the admin's goal is to block access to malicious sites, then > > they want to block the traffic, not falsify DNS. If the goal is > > to warn users away from bad places, they can publish the list as a > > filter for end-system firewalls. > That may be your view about how blocking should work, but a lot of > companies are using systems like OpenDNS who would beg to differ with > you. > In terms of many of the metrics admins like such as simplicity, > effectiveness, cost etc, then spoofing DNS comes out very favourably.
DNS admins also have a fiduciary responsibility to their users. Other services also have implied fiduciary responsibility, like email, but DNS is a direct service - Your user is asking you, right now, for a fact, not a best guess. Your user is asking you : What are the operators of my bank saying their IP number is. While I am saying things that nobody is saying out loud, (I may as well continue down my own slippery slope...) DNS admins are more important than other admins. DNS admins must be more sensitive to their own ethics, their own truth. When it is presented as "okay" or "normal" to create protocols for telling lies, AND hiding those lies from their users, this is an indication that a lack of understanding exists about how important it is to meet the high trust expectations the world has, on DNS. Many arguments could be made why it is a good thing to "protect" users by using DNS and many arguments could be made why using DNS is completely wrong for this. My objection to the continued publication of the subject matter in this draft, is not that. My objection is that it is simply not ethical. It is simply not right. Andre _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
