On Tue, Dec 20, 2016 at 07:30:43AM +0200, ac wrote: > You are quite correct, but the minute you answer questions for other > people the entire situation changes.
Not if they've contracted with me to answer their questions in a way that protects them from malware, it doesn't. > To rip the dam from underneath the duck: You cannot legally resolve a > non google IP number as "google.com" just because your t&c says you can > do whatever you want. If google.com is known to be sending malware or spam or other undesirable content (which it isn't), then of course I can. Or, instead of remapping the answer, I can return NXDOMAIN. This would not be theft; it would a service provided to my malware-averse clientele. If they don't want this to happen then they should use some other resolver or run their own. Now, if I remap google.com in order to *cause* my clients to receive malware or spam, then yes, I agree that I am being evil, and I hope everyone is using DNSSEC and SSL certificate validation and other such mechanisms to detect and avoid this. > in DNS, it is much more subtle, it is about honesty, morality and ethics. I remember when I stood up at my first IETF meeting and asserted the principle that the DNS should not lie. I was 40 years old. Just a starry-eyed kid with a dream. Even then, though, the context of my statement was that there were technical considerations that made it regrettably necessary to lie in certain operational environments - specifically, some networks at the time were breaking when they received AAAA answers, so we'd added an option to filter those. Such considerations take precedence over absolute truthfulness. "Not wanting to be recruited into a botnet" is another such consideration. Paul and Vernon invented a useful tool to help address it, and I'm in favor of documenting it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop