Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Tue, 20 Dec 2016 01:23:10 -0500 "Allan Liska" wrote: > On 12/20/2016 at 12:31 AM, "ac" wrote: > > If you wish to consider a physical analog, there may be a general > > principle that one should not interfere with postal mail, but this > is challeged by the existence of the

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Tue, 20 Dec 2016 06:12:42 + Evan Hunt wrote: > On Tue, Dec 20, 2016 at 07:30:43AM +0200, ac wrote: > > You are quite correct, but the minute you answer questions for other > > people the entire situation changes. > Not if they've contracted with me to answer their questions

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Allan Liska
On 12/20/2016 at 12:31 AM, "ac" wrote: > If you wish to consider a physical analog, there may be a general > principle that one should not interfere with postal mail, but this is > challeged by the existence of the unabomber or the anthrax attacks. > In your example, you still require a court

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Evan Hunt
On Tue, Dec 20, 2016 at 07:30:43AM +0200, ac wrote: > You are quite correct, but the minute you answer questions for other > people the entire situation changes. Not if they've contracted with me to answer their questions in a way that protects them from malware, it doesn't. > To rip the dam

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Tue, 20 Dec 2016 04:56:06 + Evan Hunt wrote: > On Tue, Dec 20, 2016 at 06:42:02AM +0200, ac wrote: > > the reason why there is an ethical difference between Domain Names > > and IP resources starts with the fact that domain names are other > > people's actual intellectual

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread william manning
adding complexity in the middle of any system increases the size of an attack surface. true for SMTP, Firewalls, and DNS. This draft formalizes adding massive complexity throughout the DNS without a clear or crisp way to debug and correct problems, particularly since resolution issues will

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Evan Hunt
On Tue, Dec 20, 2016 at 06:42:02AM +0200, ac wrote: > the reason why there is an ethical difference between Domain Names and > IP resources starts with the fact that domain names are other people's > actual intellectual (legal) property. There is also all the other > considerations, for example

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
In advance, I do apologize for me taking additional bandwidth I received many interesting off list emails, many did not understand why ethics regarding IP was different from that of names. I incorrectly assumed that everyone simply knew that there are differences. This may also be a basic

[DNSOP] dnsop - New Meeting Session Request for IETF 98

2016-12-19 Thread "IETF Meeting Session Request Tool"
A new meeting session request has just been submitted by Tim Wicinski, a Chair of the dnsop working group. - Working Group Name: Domain Name System Operations Area Name: Operations and Management Area Session Requester: Tim Wicinski

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Vernon Schryver
] From: Scott Schmit wrote: ] But it looks like the contents of this zone are intended to be kept ] secret from end-users. Depending on one's view of end users, that notion conflicts with the final paragraph of section 6 on page 18: If a policy rule matches and results in

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
I cannot reply to you, off list, as your email is broken. So, for the list, my reply: On Mon, 19 Dec 2016 11:34:16 + Jim Reid wrote: > > On 19 Dec 2016, at 09:50, ac wrote: > > you are answering for something that has implied trust and that you > > do not

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 10:59:57 + Tony Finch wrote: > ac wrote: > > To legitimize the telling of lies and to define protocols that hides > > the truth from users, (deception) for whatever reason, is wrong. > I agree. > That is why, if you are deploying RPZ, you

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread sthaug
> To be clear and to boil it down: This draft publishes a method to supply > different answers to different users and to hide the truth of those lies to > the same users. So do for instance BIND views. > Unless a registry, court or resource owner authorizes this, it is > lying, cheating,

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Tony Finch
Scott Schmit wrote: > > If the admin's goal is to block access to malicious sites, then they > want to block the traffic, not falsify DNS. If the goal is to warn > users away from bad places, they can publish the list as a filter for > end-system firewalls. Blocking traffic

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Tony Finch
ac wrote: > > To legitimize the telling of lies and to define protocols that hides > the truth from users, (deception) for whatever reason, is wrong. I agree. That is why, if you are deploying RPZ, you should do so in an ethical manner. When someone connects to your network, you

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 10:59:31 +0100 bert hubert wrote: > On Mon, Dec 19, 2016 at 11:50:02AM +0200, ac wrote: > Maybe the internet was a mistake then. But I don't think we'll > convince you. > Huge segments of the internet do think this is a good idea. And like > other

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Ralf Weber
Moin! On 19 Dec 2016, at 8:28, ac wrote: On Mon, 19 Dec 2016 07:53:42 +0100 "Ralf Weber" wrote: So if this is the IP of a phishing site or the IP of an command and control host that tells its bot to execute criminal action you still valid the accuracy of the answer higher then

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread bert hubert
On Mon, Dec 19, 2016 at 11:50:02AM +0200, ac wrote: > > So please realise this is something that people need. Best that they > > do it in a standardized fashion. > > > > people also need tools to send out bulk emails. maybe bots. should we > start RFC's for that? We did in fact. All those things

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 10:38:46 +0100 bert hubert wrote: > On Mon, Dec 19, 2016 at 11:24:33AM +0200, ac wrote: > > when there is an RFC that describers how to lie and then adds > > deception, this is no longer something to negotiate or to discuss > > much. > > By this

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Jim Reid
> On 19 Dec 2016, at 09:38, bert hubert wrote: > > So please realise this is something that people need. Best that they do it > in a standardized fashion. Indeed. And nobody’s putting a gun to Andre’s head to force him to “tell lies” with RPZ (or whatever).

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread bert hubert
On Mon, Dec 19, 2016 at 11:24:33AM +0200, ac wrote: > when there is an RFC that describers how to lie and then adds > deception, this is no longer something to negotiate or to discuss much. By this token any firewall is censorship and lies. Yet we still use them. We have also documented ways to

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 10:11:11 +0100 (CET) sth...@nethelp.no wrote: > > The law does not say : send "Pirate Bay" to "example.com" to deceive > > your users! it may instruct you to send coca-cola.org to > > coca-cola.com > > The law instructs me to tell customers the lie that various Pirate Bay >

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread bert hubert
On Mon, Dec 19, 2016 at 09:09:42AM +, Evan Hunt wrote: > On Mon, Dec 19, 2016 at 10:42:35AM +0200, ac wrote: > > it still is never okay to lie and to deceive. > > [...] > > This is simply about ethics. > > I hereby, with full knowledge and prior consent, give my resolver (which > I own)

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread Evan Hunt
On Mon, Dec 19, 2016 at 10:42:35AM +0200, ac wrote: > it still is never okay to lie and to deceive. > [...] > This is simply about ethics. I hereby, with full knowledge and prior consent, give my resolver (which I own) *permission* to falsely tell my browser (which I also own) that malware

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 09:16:28 +0100 (CET) sth...@nethelp.no wrote: > > > So if this is the IP of a phishing site or the IP of an command > > > and control host that tells its bot to execute criminal action > > > you still valid the accuracy of the answer higher then possible > > > damage this could

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread ac
On Mon, 19 Dec 2016 09:16:28 +0100 (CET) sth...@nethelp.no wrote: > > > So if this is the IP of a phishing site or the IP of an command > > > and control host that tells its bot to execute criminal action > > > you still valid the accuracy of the answer higher then possible > > > damage this could

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

2016-12-19 Thread sthaug
> > So if this is the IP of a phishing site or the IP of an command and > > control host that tells its bot to execute criminal action you still > > valid the accuracy of the answer higher then possible damage this > > could do to your user? > > > yes. > > In your example, ethically, it is a