William, I think the exit strategy for RPZ is DNSSEC. We really need to figure out how to get people to be able to reliably and safely set up DNSSEC. Despite Olaf’s excellent documents, we don’t really have that yet. I don’t think that operating DNSSEC should be as scary as it is, but right now all the IETF advice on this topic is too general, requiring the installer to make decisions about their setup that the average IT person doesn’t know how to make.
We should have a document that says "look, if you don’t know any better, here is a way to set up DNSSEC that will make your users more secure than they are without it, and that will not blow up in your face (assuming you do it)." I’ve seen a few documents like that, but nothing out of the IETF; they are generally on someone’s personal web site, and don’t see wide distribution. I think we need to stop thinking that there will be some shining day when the Internet is a safe place. The internet is an ecosystem, and ecosystems have predators and parasites. We may not like it, it may violate our ideals, but it is reality, and denying reality doesn’t make it go away. What we should be doing is thinking like gardeners, not like machinists. Gardeners sometimes have to use methods for dealing with pests that allow us to have yummy food but aren’t so good for the pests. The same is true with the Internet. (FWIW, I’m in favor of adoption, for precisely this reason.) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop