Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

ting botnet's C&C network or redirect users to malware. If the location of the RPZ servers is hidden, diagnosing network problems becomes much more difficult. This has the net effect of making the DNS less reliable. The widespread use of captive portals has already made implementation of e

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

> Could you explain in more detail why you don't believe operators will > continue to use RPZ to protect their users, and why you think hostile > actors will do things with RPZ that they couldn't do now? I was specifically asking about the redirect/record replace

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

r IETF & WG change control. If that's not the intent, then the document should not be adopted. -- Scott Schmit ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

On Sun, Dec 18, 2016 at 07:59:44PM +, Tony Finch wrote: > Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > > DNSSEC-signed data, so if a validating end-system is going to have its > > behavior modified, it would need to

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

t would highlight where this is being used, since only affected domains would have their lookups broken. The natural counter to that would be to deliberately break DNSSEC everywhere to blind end-users to where they're being lied to. So this, if implemented, is ultimately a DNSSEC-killer. --

Re: [DNSOP] Declaring HTTPS mandatory in the DNS

er? Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls? -- Scott Schmit smime.p7s Description: S/MIME cryptographic signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] on "Negative Trust Anchors"

On Mon, Apr 16, 2012 at 08:32:59AM -0700, David Conrad wrote: > On Apr 16, 2012, at 4:52 AM, Scott Schmit wrote: > > Please explain how operators will prevent this, and why they can > > afford to remove a zone from the NTA list (while it is still > > failing) but couldn

Re: [DNSOP] on "Negative Trust Anchors"

On Sun, Apr 15, 2012 at 09:24:35PM -0700, David Conrad wrote: > On Apr 15, 2012, at 6:28 PM, Scott Schmit wrote: > > It's manual for now...until the utter lack of consequences for screwing > > up (everybody can still get to the broken zones just fine) junks up the > > N

Re: [DNSOP] on "Negative Trust Anchors"

themselves, they don't see the ISP page, but all DNS resolvers look the same to them (i.e., switching to 8.8.8.8 won't fix it) so they'll eventually realize its their own machine, etc. I'm not entirely sure I like that solution, but I think I like it better. -- Scott Schmit

Re: [DNSOP] on "Negative Trust Anchors"

spam blacklists), then there's something to talk about, but in that case I'd want it to be secured via DNSSEC, and let's hope the operators of those don't screw up or start blacklisting each other. (Either on purpose or due to unfortunate timing.) Attacking DLNV zones would have