Moin! On 19 Dec 2016, at 6:05, ac wrote:
> On Sun, 18 Dec 2016 23:45:34 +0000 > "Adrien de Croy" <adr...@qbik.com> wrote: >>> If the admin's goal is to block access to malicious sites, then >>> they want to block the traffic, not falsify DNS. If the goal is >>> to warn users away from bad places, they can publish the list as a >>> filter for end-system firewalls. >> That may be your view about how blocking should work, but a lot of >> companies are using systems like OpenDNS who would beg to differ with >> you. >> In terms of many of the metrics admins like such as simplicity, >> effectiveness, cost etc, then spoofing DNS comes out very favourably. > > DNS admins also have a fiduciary responsibility to their users. > > Other services also have implied fiduciary responsibility, like email, > but DNS is a direct service - Your user is asking you, right now, for a > fact, not a best guess. Your user is asking you : What are the > operators of my bank saying their IP number is. So if this is the IP of a phishing site or the IP of an command and control host that tells its bot to execute criminal action you still valid the accuracy of the answer higher then possible damage this could do to your user? I don't and I've been using similar techniques either as employee of a DNS operator or a DNS software vendor for 10 years now. Local policy, which this is, always trumped validation and in the end user can validate and find out that this answer doesn't validate and then can try to find out why, but honestly most internet users have no idea what DNS let alone DNSSEC is or how to deal with it. Protecting Internet users with DNS by not letting them go to these sites seems like a good idea to me and is also done by e.g browser vendors (have you complained to them ;-). Sure this technology can be used to bad things, but that is true for a lot of other technologies also. It's the use that makes them bad and not the technology itself. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
