[NCSG-Discuss] beyond take down

Timothe Litt litt at ACM.ORG
Wed Nov 23 17:29:28 CET 2011


Avri,

I don't speak for ISC - I do use BIND and so follow developments.

My understanding is that ISC developed Response Policy Zones as an
engineered approach to demand from some of its customers.  The Technical
Note describes the database format that BIND uses for policies, which looks
like a DNS zone but is not served like one.  I believe that the tech note
was published to encourage adoption by non-BIND implementations with similar
requirements, and to encourage distribution of policies in this format.

I have not heard of plans to turn this into an Internet Draft, standard or
RFC - personally, I would think that until there is experience with the
technology it's premature.  This is a messy area (technically as well as
politically) and I would expect it to either evolve or die.

But the best place to get an answer about their intentions is ISC.  Why not
drop Paul Vixie a line?  His e-mail address is well-known - or you can use
www.isc.org/blogs/vixie or www.isc.org/contact

FWIW, personally: I understand the demand and why ISC responded.  I'm even
sympathetic to trying to solve some of the problems that it attacks.  But I
hope this dies.  DNS should be simply an honest name service.  Access
controls may be informed by DNS results, but need to be implemented at lower
levels (e.g. IP address/port/protocol) to be effective.  One way to help
kill it is to encourage widespread adoption of DNSSEC, since modified
responses will not validate.  (Liars can't sign the responses with a key in
the chain of trust.)  But as the references that I provided show, there are
other opinions/voices.  NCSG could take a position on this (mis)use of DNS
if there was a concensus.  Getting to one might well be challenging...

Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.


-----Original Message-----
From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Avri
Doria
Sent: Wednesday, November 23, 2011 10:40
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] [NCSG-Discuss] beyond take down

Hi Timothe,

What I have not been able to determine, with my cursory following of the
IETF dnsext Wg is whether there are any IDs on this and if so what sort of
track is it on.

I looked at the ISC technical note
<ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt> referred to in one of the
slides, which while it looks like an ID, but saw no indication there either.
The only related ID I see is :
<http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00>

Is this intended by ISC to be a defacto standard, separate from the IETF
standards making process? Or am I missing ongoing work somewhere.

avri


On 20 Nov 2011, at 20:07, Milton L Mueller wrote:

>
>
> -----Original message-----
> From: Timothe Litt <litt at acm.org>
> To: Milton L Mueller <mueller at syr.edu>
> Sent: Sun, Nov 20, 2011 17:37:39 GMT+00:00
> Subject: RE: [NCSG-Discuss] beyond take down
>
> Does anyone on this list know more about the way BIND is being amended to
allow the "rewriting" of DNS answers? Jorge? Timothe?
>
>
> Yes.  Recent versions of BIND (starting I think with 9.8) have a feature
called RPZ = Response Policy Zone.  It is rather controversial.
>
> The intent was to make it possible for enterprise customers to block
websites (and other protocols relying on DNS) according to some policy -
typically known malware and/or non-work sites.  It doesn't work with DNSSEC.
It has some potential for abuse by ISPs.  As ISC tells the story, this was
implemented because of (bind) customer demand, not because ISC thinks it's a
good idea.
>
> Here are some references:
>
> http://www.isc.org/community/blog/201007/taking-back-dns-0
>
> http://www.isc.org/files/TakingBackTheDNSrpz2.pdf
>
> http://www.isc.org/community/blog/201103/blocking-dns
>
>
> I will refrain from editorial comment - except to note that DNS is not a
particularly good place to implement a blocking policy.
>
>
> Timothe Litt
> ACM Distinguished Engineer
> ---------------------------------------------------------
> This communication may not represent the ACM or my employer's views,
> if any, on the matters discussed.
>
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
> Milton L Mueller
> Sent: Sunday, November 20, 2011 12:10
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: Re: [NCSG-Discuss] beyond take down
>
> Does anyone on this list know more about the way BIND is being amended to
allow the "rewriting" of DNS answers? Jorge? Timothe?
> From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
> William Drake
> Sent: Sunday, November 20, 2011 10:22 AM
> To: NCSG-DISCUSS at LISTSERV.SYR.EDU
> Subject: [NCSG-Discuss] beyond take down Hi
>
> As discussed on our call the other night, some of the key developments
> from a global public interest standpoint go beyond GNSO & ICANN
> policies but we might still consider whether there's grounds for
> useful NC engagement.
>
> & BTW Monika quotes Wendy in the below...
>
> http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-close
> r-to-the-core-of-the-internet/print/
>
> Filtering and Blocking Closer To The Core Of The Internet?
> By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00
> pm
>
>
> With protests against draft US legislation like the Stop Online Piracy
> Act (SOPA) and the Protect IP Act ongoing and the European Parliament
> voting o
>


More information about the Ncuc-discuss mailing list