> From: Tony Finch <d...@dotat.at> > Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > > > > No, blocking a communication is harsh but is not a lie. Returning HTTP > > code 451 (RFC 7725) is not a lie, the HTTP server clearly says "this > > is censored". > > > > In the case of the DNS, in the absence of a rcode equivalent to 451, > > modifying the answers of the authoritative name servers is a lie. But > > some are more or less serious lies: [snip]
SERVFAIL signaling DNSSEC validation failure is the equivalent to an HTTP 4yz failure status. Neither is a full and open disclosure to end users that censorship has occurred, because in both cases end users only understand that the internet is broken. But on the real Internet, HTTP 4yz results do not signal censorship, because great firewalls, HTTP(S) proxies, and compliant PKI CAs are used for invisible censorship, content injection, etc. > In an RPZ deployment, if the substitute IP address is a hosts a web site > that explains the reason for the block, the admin is not trying to conceal > anything or mislead anyone, so it isn't a lie. Yes, please see the endlessly repeated references to walled gardens in the draft. A good way to use RPZ is to rewrite IP addresses to local walled gardens. ISPs do that now to reduce help desk costs. > Protocol signalling can help, but it is a relatively trivial matter > compared to how the blocking technology is explained to the people who are > affected by it. I don't agree. While my Aunt Mildred might understand the instructions of a walled garden the next time she infects her computer, she'll never understand RPZ, HTTPS proxies, or even firewalls. Even if she had the wit, she lacks the interest. More important is that while DNS and HTTP lies can be used in open, transparent, and virtuous ways, they won't be in the cases that justify concern. Perhaps that is why among the thundering about ethics, human rights, honesty, evil, and that the draft must never ever in a million years be accepted without warning text, no text has been proposed. I do not see how a principled stand for DNS honesty could accept any warning text (or protocol signalling). A better, more realistic, and more honest parallel to the concerns about RPZ is the fight of governments against encryption. RPZ and encryption are just ideas. It does not matter at this point whether they might do more harm than good. You can no more stop governments and corporations from using DNS lies than governments can stop the use of encryption. They can't suppress the arithmetic of public key encryption any more than you can make DNS server operators forget the creative use of local zone files or keep all of the millions of code jockeys like me from writing messaging apps and evil DNS code. All that you might do is to make encryption and RPZ less available for good. Vernon Schryver v...@rhyolite.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
