> > So if this is the IP of a phishing site or the IP of an command and > > control host that tells its bot to execute criminal action you still > > valid the accuracy of the answer higher then possible damage this > > could do to your user? > > > yes. > > In your example, ethically, it is a problem that should be addressed on IP, > not on DNS > > It is never okay to tell lies.
Unfortunately the real world isn't that simple. Sometimes you are required by law to tell lies. Case in point: Various domains belonging to Pirate Bay and several other torrent providers have been explicitly blocked in Norway - explicitly as in: The biggest ISPs in Norway (I happen to work for one of these) have been told by the Oslo district court to block access to a list of domains supplied by the court, and that this is to be implemented through DNS blocking (lies, if you will). It doesn't matter whether I *like* this or not, and it also doesn't matter whether the domains in question are easily available by using OpenDNS, Google Public DNS, running your own name server, etc. ISPs are still required to block access as long as the verdict from the Oslo district court is valid. Today this blocking is done without using RPZ. Having RPZ standardized and implemented in more DNS software would make it possible to perform the same blocking as mentioned above with fewer moving parts and thus a simpler system less likely to have "interesting" failure modes. Note that it makes absolutely no difference to the blocking described above whether the RPZ draft is published as an RFC or not - in both cases the blocking would still be performed, because it is required by law. Steinar Haug, AS2116 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop