Moin! On 7 Jan 2017, at 23:54, Scott Schmit wrote: >>>> why you think hostile actors will do things with RPZ that they >>>> couldn't do now? > > For the very reasons that the authors want to make this an RFC -- RPZ > isn't interoperable between DNS resolvers today. Once this RFC is > published, it's clearly hoped that RPZ will be more interoperable and > thus widespread. > > It's true that countries can legislate anything they want, and the > publication (or not) of an RFC won't change that. > > But the enforcement of laws costs resources, and resources are finite -- > so a country passing laws requiring network operators to filter and/or > redirect will have no choice but to prioritize enforcement of such laws > against other needs. I don't know if you ever where involved in law creation, but I can assure you, being involved in lobbying lawmakers to make sensible laws and also implementing redirection via DNS which is common in a lot of countries, that lawmakers give a damn about how much it costs providers to implement the redirection.
When implementing redirection via DNS I've seen every sort of possible input thrown at me from snail mail to EBDIC text files, pdf, you name it. The funniest case was one country that had different branches of the government issuing block lists one with a word document over ftp and the other with XML over https. I would love to have had a common format then and not re-invent the wheel on every new case. BTW all of these implementations where in what one would consider democratic countries in Europe (The nice thing about the EU is even if you have a EU directive you still get 27 different laws to follow if you are a pan european provider ;-). My point here is if you don't like redirection and blocking via DNS (which IMHO is much better than mandating DPI - unless you are a DPI vendor ;-) get involved in politics and try to change that at OSI layer 9. None of the stuff we discuss here will change any law or mandated redirection, nor will it change the efforts of lots of sysadmins and security researchers using the discussed technology to block bonnets and bad guys to not infect subscribers. It just would be nice if these poor sysadmins had some common tools, but as said we've solved problems without that until now and as others said RPZ actually might not be the best tool to express DNS policy configuration, but given the current state of the discussion I have serious doubt that the working group would consider working on that at all. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop