-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <20161229054559.31443.qm...@ary.lan>, John Levine <jo...@taugh.com> writes
>>I'm seeing how it really helps governments cheaply create and enforce >>the creation of national internets -- especially with the walled garden >>features. Are those the good guys to you, or are there other benefits? > >Please see the previous gazillion messages from people who are using >RPZ in production to keep malware away from their users. > >Also see the previous gazillion messages noting that governments do >all sorts of DNS censorship now and don't need RPZ. Much DNS censorship in the UK (regimes vary) is only implemented by the largest ISPs because only they have been able to find the necessary engineering time (when you operate at scale it's not just about setting a config option...) The UK Government (who pressurise the ISPs to block child sexual abuse images, some file sharing sites and who have grandiose plans to have a centralised list of malware URLs) tends to be happy because 5 ISPs covers about 95% of the population... Everyone involved understands that there isn't at present a turnkey application that the other 5% (and indeed all the in-house corporate systems) could deploy.... so this also makes the people who don't want the Government messing with their DNS results happy as well because anyone who rolls their own system pretty much opts out. >Could you explain in more detail why you don't believe operators will >continue to use RPZ to protect their users, and why you think hostile >actors will do things with RPZ that they couldn't do now? I can foresee Governments taking IETF standardisation of RPZ (that will be their words) as a way of pressurising those who have not yet deployed it to do so -- using lists supplied by them. So although deploying RPZ does a reasonable job of papering over the cracks in our response to cybercrime I think that on balance it's too dangerous a tool for the IETF to wish to bless in any way -- it's poor social hygiene to standardise these types of tools. I also note from reading the draft that this blessing will freeze in some rather ugly design (with the authors arguing that the installed base cannot adjust to something cleaner). If the IETF must do anything in this space then documenting an interchange standard for DNS related badness (with annotations to hint at how this badness might affect a resolver) would seem better engineering and rather less dangerous. - -- Dr Richard Clayton <richard.clay...@cl.cam.ac.uk> Director, Cambridge Cybercrime Centre mobile: +44 (0)7887 794090 Computer Laboratory, University of Cambridge, CB3 0FD tel: +44 (0)1223 763570 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBWGUE4zu8z1Kouez7EQJolQCePA1xB5kCbsbYHxWR5x/yBgRyT8kAn2EW JhXwn3xxerk+TDrhV3PftL/P =NInm -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop