On Mon, 19 Dec 2016 09:16:28 +0100 (CET) sth...@nethelp.no wrote: > > > So if this is the IP of a phishing site or the IP of an command > > > and control host that tells its bot to execute criminal action > > > you still valid the accuracy of the answer higher then possible > > > damage this could do to your user? > > yes. > > In your example, ethically, it is a problem that should be > > addressed on IP, not on DNS > > > > It is never okay to tell lies. > > Unfortunately the real world isn't that simple. > it actually is.
> Sometimes you are required by law to tell lies. Case in point: Various it still is never okay to lie and to deceive. If the law requires you to answer example.com as ipv4 xxx.xxx.xxx.xxx The law does not say : send "Pirate Bay" to "example.com" to deceive your users! it may instruct you to send coca-cola.org to coca-cola.com but I am not aware of any court (on the planet?) that instructs people to lie, cheat, steal or deceive - maybe in the interests of national security, etc. - but arguing that is like pulling the dam from underneath the duck. so, factually, the law is not instructing you to lie or to deceive. the law is saying: do not resolve "pirate bay" or lie to your users or deceive your users! Why would you say (or think that?) your reply is not addressing dishonesty at all? This is a simply about ethics. dishonesty > domains belonging to Pirate Bay and several other torrent providers > have been explicitly blocked in Norway - explicitly as in: The biggest > ISPs in Norway (I happen to work for one of these) have been told by > the Oslo district court to block access to a list of domains supplied > by the court, and that this is to be implemented through DNS blocking > (lies, if you will). > > It doesn't matter whether I *like* this or not, and it also doesn't > matter whether the domains in question are easily available by using > OpenDNS, Google Public DNS, running your own name server, etc. ISPs > are still required to block access as long as the verdict from the > Oslo district court is valid. > > Today this blocking is done without using RPZ. Having RPZ standardized > and implemented in more DNS software would make it possible to perform > the same blocking as mentioned above with fewer moving parts and thus > a simpler system less likely to have "interesting" failure modes. > > Note that it makes absolutely no difference to the blocking described > above whether the RPZ draft is published as an RFC or not - in both > cases the blocking would still be performed, because it is required > by law. > > Steinar Haug, AS2116 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
