Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > No, blocking a communication is harsh but is not a lie. Returning HTTP > code 451 (RFC 7725) is not a lie, the HTTP server clearly says "this > is censored". > > In the case of the DNS, in the absence of a rcode equivalent to 451, > modifying the answers of the authoritative name servers is a lie. But > some are more or less serious lies: [snip]
I think it's wrong to look at this only from the point of view of protocol signalling without taking into account the wider context. For example, a web server can return a 451 response whose content conceals from the end user that any censorship has occurred - the browser won't make the HTTP status code clear. (For a non-malicious example, try spotting the 404 on Wikipedia's "not found" page.) In an RPZ deployment, if the substitute IP address is a hosts a web site that explains the reason for the block, the admin is not trying to conceal anything or mislead anyone, so it isn't a lie. Protocol signalling can help, but it is a relatively trivial matter compared to how the blocking technology is explained to the people who are affected by it. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Lundy, Fastnet: West backing southwest later, 5 or 6, increasing 7, perhaps gale 8 later. Rough or very rough. Showers. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
