>See the recent discovery that Heathrow Airport runs a
>MITM TLS server on torproject.org. Do we want them to run RPZ where they
>can disappear torproject.org alltogether? No. Do we want them to run RPZ
>to prevent travelers from getting malware installed? Yes.
Just my crystal ball:
1) If the traver's laptop/phone uses Heathrow Airport resolvers then Heathrow
Airport can mount a denial of service on DNS. So it does not matter if the
malware zone is signed or not. If Heathrow Airport modifies the reply the
traveler will be protected.
2) It makes sense to do local validation with something like getdns. If such a
local validating resolver notices that DNSSEC validation fails ("Roadblock
Avoidance") it may contact auth. DNS servers directly.
3) Heathrow Airport can move to deep packet inspection and also block
direct access to malware DNS.
4) DNS is not really private so Google may offer their DNS services over HTTPS.
5) Governments may force Google to block popular sites, so users switch to
other DNS resolvers, again over HTTPS.
After step 5, any benign malware filtering options are probably lost.
In that sense I don't care that much about the more philosophical arguments
arguments against rpz. If you care about DNS, run a local DNSSEC validating
resolver that does roadblock avoidance and possibly falls back to
TLS or HTTPS to some trusted resolver.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
