Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Andre, On Dec 20, 2016, at 9:49 PM, ac wrote: > I once made a very cool tool, it improved the life of many people as it > allowed anyone to take over any pc running a certain operating system > with the sole and great purpose of helping more users. It too was > published, improved,

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

] From: Mukund Sivaraman ] This is also a good point. Perhaps just saying that RPZ zone transfers ] are not assumed to be atomic for the whole zone, but only at the ] RR/policy rule level will suffice? ] ] Paul mentioned during the RPZ bar/pub meeting that the purpose of this ] RFC

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Fri, Dec 30, 2016 at 11:45:23AM +, Vernon Schryver wrote: > Then there is what should happen if a transfer of a policy zone > happens between the time QNAME rules are checked and the generally > later time when NSIP and NSDNAME rules are checked. The draft tries > to pretend that all of

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Hi Vernon On Fri, Dec 30, 2016 at 11:45:23AM +, Vernon Schryver wrote: > > From: Mukund Sivaraman > > > > In 4.1.1 (IP address encoding in triggers), I suggest adding: > > > > > > - The encoded address prefix MUST NOT not have any extra trailing 1s > > > (longer address

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> From: Mukund Sivaraman > > In 4.1.1 (IP address encoding in triggers), I suggest adding: > > > > - The encoded address prefix MUST NOT not have any extra trailing 1s > > (longer address prefix than the prefix length) or the rule will be > > rejected. E.g., the following

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Hi Vernon A couple of items: 1. I sent the following text to Paul, but it has missed making this revision of the draft. Please add it into the next revision. > In 4.1.1 (IP address encoding in triggers), I suggest adding: > > - The encoded address prefix MUST NOT not have any extra trailing 1s

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> From: Paul Wouters > Some of us were not advocating for such text, although some text is surely > appropriate for the Security Considerations or Privacy Considerations > sections. I don't understand. Do you think more text needed? If so, please provide samples. >

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Thu, 22 Dec 2016, Vernon Schryver wrote: SERVFAIL signaling DNSSEC validation failure is the equivalent to an HTTP 4yz failure status. Neither is a full and open disclosure to end users that censorship has occurred, because in both cases end users only understand that the internet is

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> From: Tony Finch > Stephane Bortzmeyer wrote: > > > > No, blocking a communication is harsh but is not a lie. Returning HTTP > > code 451 (RFC 7725) is not a lie, the HTTP server clearly says "this > > is censored". > > > > In the case of the DNS, in the

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Stephane Bortzmeyer wrote: > > No, blocking a communication is harsh but is not a lie. Returning HTTP > code 451 (RFC 7725) is not a lie, the HTTP server clearly says "this > is censored". > > In the case of the DNS, in the absence of a rcode equivalent to 451, > modifying the

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

>I hereby, with full knowledge and prior consent, *refuse* that my ISP >(or the hotel where I stay) modify DNS responses. I gather you live in France, where the government can and occasionally does require ISPs to change DNS responses so that requests for domains that a court considers illegal in

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> > adding complexity in the middle of any system increases the size of an > > attack surface. > > +1 This was described in detail several times (see for instance this > report > ) > and

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 10:38:46AM +0100, bert hubert wrote a message of 25 lines which said: > By this token any firewall is censorship and lies. Yet we still use > them. No, blocking a communication is harsh but is not a lie. Returning HTTP code 451 (RFC 7725) is

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 08:58:23PM -0800, william manning wrote a message of 214 lines which said: > adding complexity in the middle of any system increases the size of an > attack surface. +1 This was described in detail several times (see for instance this report

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 09:09:42AM +, Evan Hunt wrote a message of 20 lines which said: > I hereby, with full knowledge and prior consent, give my resolver > (which I own) *permission* to falsely tell my browser (which I also > own) that malware domains don't exist. I

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

In article you write: >>> Those malevolent actors are just as capable of using DNSSEC. >> >> A lot of the arguments I'm seeing here boil down to "my users are >> better off with a signed A record pointing to a site that installs >> Cryptolocker

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Speaking as a large enterprise operator (over 100,000 employees and contractors at over 600 sites as well as a significant public Internet presence) that has DNSSEC signed all public zones, the majority of internal zones, and has DNSSEC validation enabled at all levels throughout our recursive DNS

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Wed, 21 Dec 2016, John Levine wrote: Those malevolent actors are just as capable of using DNSSEC. A lot of the arguments I'm seeing here boil down to "my users are better off with a signed A record pointing to a site that installs Cryptolocker than with an unsigned NXDOMAIN or SERVFAIL."

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

>Those malevolent actors are just as capable of using DNSSEC. A lot of the arguments I'm seeing here boil down to "my users are better off with a signed A record pointing to a site that installs Cryptolocker than with an unsigned NXDOMAIN or SERVFAIL." There may be a world in which that is true

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On 21/12/2016 14:54, Ted Lemon wrote: > I think the exit strategy for RPZ is DNSSEC. I don't follow this argument. RPZ is primarily used to protect end-users from visiting sites associated with malware, either because the A / result of a lookup resolves to a particular address, or

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

William, I think the exit strategy for RPZ is DNSSEC. We really need to figure out how to get people to be able to reliably and safely set up DNSSEC. Despite Olaf’s excellent documents, we don’t really have that yet. I don’t think that operating DNSSEC should be as scary as it is, but

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Vernon won't see this, since he has blocked my email, but here goes. I think it is a huge mistake to adopt this work within the IETF. Although the IEtF has, in the past, documented worst common practice, i suspect that this case is one where the WG chairs should tell the authors to take the work

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, 20 Dec 2016 22:10:20 -0500 Olafur Gudmundsson wrote: > +1 > I agree this is ugly as ugly can be but that ship has sailed. > For interoperability sake lets just publish this with a note that > says something like this; > > This is documentation of fielded useful protocol.

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

+1 I agree this is ugly as ugly can be but that ship has sailed. For interoperability sake lets just publish this with a note that says something like this; This is documentation of fielded useful protocol. This is ugly protocol and it copying it is strongly discouraged. Olafur > On

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

+1 Regards, -drc (speaking only for myself) > On Dec 20, 2016, at 4:02 PM, John Levine wrote: > >> "Not wanting to be recruited into a botnet" is another such consideration. >> Paul and Vernon invented a useful tool to help address it, and I'm >> in favor of documenting it. >

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

>"Not wanting to be recruited into a botnet" is another such consideration. >Paul and Vernon invented a useful tool to help address it, and I'm >in favor of documenting it. I would really prefer that the IETF not embarrass itself with a rerun of the NAT fiasco, in which TCP/IP purists yelled and

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, 20 Dec 2016 07:49:59 -0500 Ted Lemon wrote: > On Dec 20, 2016, at 1:45 AM, ac wrote: > The point is that while you may believe that domains names are > property, and that a DNS server administrator who doesn’t honor that > property right is stealing,

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Dec 20, 2016, at 1:45 AM, ac wrote: > It is not really an argument to say just because someone else has no > ethics it is also okay for me not to have ethics. Andre, you still haven’t given any reason why the IETF should care about your ethical beliefs. I’ve asked you several

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> On 20 Dec 2016, at 06:40, ac wrote: > > my reply and opposition to the publication of the draft is that it is not > ethical. In that case, I suggest the WG notes your objection and otherwise ignores it. You don’t have a veto anyway: nobody does. The rest of us should now be

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, 20 Dec 2016 01:23:10 -0500 "Allan Liska" wrote: > On 12/20/2016 at 12:31 AM, "ac" wrote: > > If you wish to consider a physical analog, there may be a general > > principle that one should not interfere with postal mail, but this > is challeged by the existence of the

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, 20 Dec 2016 06:12:42 + Evan Hunt wrote: > On Tue, Dec 20, 2016 at 07:30:43AM +0200, ac wrote: > > You are quite correct, but the minute you answer questions for other > > people the entire situation changes. > Not if they've contracted with me to answer their questions

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On 12/20/2016 at 12:31 AM, "ac" wrote: > If you wish to consider a physical analog, there may be a general > principle that one should not interfere with postal mail, but this is > challeged by the existence of the unabomber or the anthrax attacks. > In your example, you still require a court

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, Dec 20, 2016 at 07:30:43AM +0200, ac wrote: > You are quite correct, but the minute you answer questions for other > people the entire situation changes. Not if they've contracted with me to answer their questions in a way that protects them from malware, it doesn't. > To rip the dam

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, 20 Dec 2016 04:56:06 + Evan Hunt wrote: > On Tue, Dec 20, 2016 at 06:42:02AM +0200, ac wrote: > > the reason why there is an ethical difference between Domain Names > > and IP resources starts with the fact that domain names are other > > people's actual intellectual

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

adding complexity in the middle of any system increases the size of an attack surface. true for SMTP, Firewalls, and DNS. This draft formalizes adding massive complexity throughout the DNS without a clear or crisp way to debug and correct problems, particularly since resolution issues will

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Tue, Dec 20, 2016 at 06:42:02AM +0200, ac wrote: > the reason why there is an ethical difference between Domain Names and > IP resources starts with the fact that domain names are other people's > actual intellectual (legal) property. There is also all the other > considerations, for example

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

In advance, I do apologize for me taking additional bandwidth I received many interesting off list emails, many did not understand why ethics regarding IP was different from that of names. I incorrectly assumed that everyone simply knew that there are differences. This may also be a basic

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

] From: Scott Schmit wrote: ] But it looks like the contents of this zone are intended to be kept ] secret from end-users. Depending on one's view of end users, that notion conflicts with the final paragraph of section 6 on page 18: If a policy rule matches and results in

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

I cannot reply to you, off list, as your email is broken. So, for the list, my reply: On Mon, 19 Dec 2016 11:34:16 + Jim Reid wrote: > > On 19 Dec 2016, at 09:50, ac wrote: > > you are answering for something that has implied trust and that you > > do not

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 10:59:57 + Tony Finch wrote: > ac wrote: > > To legitimize the telling of lies and to define protocols that hides > > the truth from users, (deception) for whatever reason, is wrong. > I agree. > That is why, if you are deploying RPZ, you

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> To be clear and to boil it down: This draft publishes a method to supply > different answers to different users and to hide the truth of those lies to > the same users. So do for instance BIND views. > Unless a registry, court or resource owner authorizes this, it is > lying, cheating,

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Scott Schmit wrote: > > If the admin's goal is to block access to malicious sites, then they > want to block the traffic, not falsify DNS. If the goal is to warn > users away from bad places, they can publish the list as a filter for > end-system firewalls. Blocking traffic

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

ac wrote: > > To legitimize the telling of lies and to define protocols that hides > the truth from users, (deception) for whatever reason, is wrong. I agree. That is why, if you are deploying RPZ, you should do so in an ethical manner. When someone connects to your network, you

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 10:59:31 +0100 bert hubert wrote: > On Mon, Dec 19, 2016 at 11:50:02AM +0200, ac wrote: > Maybe the internet was a mistake then. But I don't think we'll > convince you. > Huge segments of the internet do think this is a good idea. And like > other

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Moin! On 19 Dec 2016, at 8:28, ac wrote: On Mon, 19 Dec 2016 07:53:42 +0100 "Ralf Weber" wrote: So if this is the IP of a phishing site or the IP of an command and control host that tells its bot to execute criminal action you still valid the accuracy of the answer higher then

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 11:50:02AM +0200, ac wrote: > > So please realise this is something that people need. Best that they > > do it in a standardized fashion. > > > > people also need tools to send out bulk emails. maybe bots. should we > start RFC's for that? We did in fact. All those things

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 10:38:46 +0100 bert hubert wrote: > On Mon, Dec 19, 2016 at 11:24:33AM +0200, ac wrote: > > when there is an RFC that describers how to lie and then adds > > deception, this is no longer something to negotiate or to discuss > > much. > > By this

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> On 19 Dec 2016, at 09:38, bert hubert wrote: > > So please realise this is something that people need. Best that they do it > in a standardized fashion. Indeed. And nobody’s putting a gun to Andre’s head to force him to “tell lies” with RPZ (or whatever).

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 11:24:33AM +0200, ac wrote: > when there is an RFC that describers how to lie and then adds > deception, this is no longer something to negotiate or to discuss much. By this token any firewall is censorship and lies. Yet we still use them. We have also documented ways to

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 10:11:11 +0100 (CET) sth...@nethelp.no wrote: > > The law does not say : send "Pirate Bay" to "example.com" to deceive > > your users! it may instruct you to send coca-cola.org to > > coca-cola.com > > The law instructs me to tell customers the lie that various Pirate Bay >

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 09:09:42AM +, Evan Hunt wrote: > On Mon, Dec 19, 2016 at 10:42:35AM +0200, ac wrote: > > it still is never okay to lie and to deceive. > > [...] > > This is simply about ethics. > > I hereby, with full knowledge and prior consent, give my resolver (which > I own)

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, Dec 19, 2016 at 10:42:35AM +0200, ac wrote: > it still is never okay to lie and to deceive. > [...] > This is simply about ethics. I hereby, with full knowledge and prior consent, give my resolver (which I own) *permission* to falsely tell my browser (which I also own) that malware

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 09:16:28 +0100 (CET) sth...@nethelp.no wrote: > > > So if this is the IP of a phishing site or the IP of an command > > > and control host that tells its bot to execute criminal action > > > you still valid the accuracy of the answer higher then possible > > > damage this could

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 09:16:28 +0100 (CET) sth...@nethelp.no wrote: > > > So if this is the IP of a phishing site or the IP of an command > > > and control host that tells its bot to execute criminal action > > > you still valid the accuracy of the answer higher then possible > > > damage this could

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> > So if this is the IP of a phishing site or the IP of an command and > > control host that tells its bot to execute criminal action you still > > valid the accuracy of the answer higher then possible damage this > > could do to your user? > > > yes. > > In your example, ethically, it is a

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Mon, 19 Dec 2016 07:53:42 +0100 "Ralf Weber" wrote: > Moin! > Aloha > > DNS admins also have a fiduciary responsibility to their users. > > Other services also have implied fiduciary responsibility, like > > email, but DNS is a direct service - Your user is asking you,

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Moin! On 19 Dec 2016, at 6:05, ac wrote: > On Sun, 18 Dec 2016 23:45:34 + > "Adrien de Croy" wrote: >>> If the admin's goal is to block access to malicious sites, then >>> they want to block the traffic, not falsify DNS. If the goal is >>> to warn users away from bad

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Sun, 18 Dec 2016 23:45:34 + "Adrien de Croy" wrote: > > If the admin's goal is to block access to malicious sites, then > > they want to block the traffic, not falsify DNS. If the goal is > > to warn users away from bad places, they can publish the list as a > >

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> If the admin's goal is to block access to malicious sites, then they > want to block the traffic, not falsify DNS. If the goal is to warn > users away from bad places, they can publish the list as a filter for > end-system firewalls. That may be your view about how blocking should work, but

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Sun, Dec 18, 2016 at 07:59:44PM +, Tony Finch wrote: > Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > > DNSSEC-signed data, so if a validating end-system is going to have its > > behavior modified, it would need to opt in. > > That's not

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > DNSSEC-signed data, so if a validating end-system is going to have its > behavior modified, it would need to opt in. That's not entirely true. An RPZ setup can lie

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Sat, 17 Dec 2016 18:27:51 GMT Vernon Schryver wrote: > > From: ac > > that is only your point of view, take of your sunglasses, it is > > bright outside, we are Making The Internet Great Again, writing > > protocols to tell lies, moving lines, exploring the

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Fri, Dec 16, 2016 at 01:53:52PM -0800, internet-dra...@ietf.org wrote: > Abstract: >This document describes a method for expressing DNS response policy >inside a specially constructed DNS zone, and for recursive name >servers to use such policy to return modified results to DNS

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

> From: ac > that is only your point of view, take of your sunglasses, it is bright > outside, we are Making The Internet Great Again, writing protocols to > tell lies, moving lines, exploring the dark side of the force, a new > time is upon us, where toasters also make ice and ice

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Sat, 17 Dec 2016 08:05:36 -0500 Ted Lemon wrote: > We are already zooming down it at full speed. The night is dark and > full of ice weasels. > that is only your point of view, take of your sunglasses, it is bright outside, we are Making The Internet Great Again, writing

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

and so we all go down the slippery slope. On Fri, 16 Dec 2016 13:53:52 -0800 internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Domain Name System > Operations of the IETF. > > Title

[DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations of the IETF. Title : DNS Response Policy Zones (RPZ) Authors : Paul Vixie Vernon Schryver