Avri, I don't speak for ISC - I do use BIND and so follow developments. My understanding is that ISC developed Response Policy Zones as an engineered approach to demand from some of its customers. The Technical Note describes the database format that BIND uses for policies, which looks like a DNS zone but is not served like one. I believe that the tech note was published to encourage adoption by non-BIND implementations with similar requirements, and to encourage distribution of policies in this format. I have not heard of plans to turn this into an Internet Draft, standard or RFC - personally, I would think that until there is experience with the technology it's premature. This is a messy area (technically as well as politically) and I would expect it to either evolve or die. But the best place to get an answer about their intentions is ISC. Why not drop Paul Vixie a line? His e-mail address is well-known - or you can use www.isc.org/blogs/vixie or www.isc.org/contact FWIW, personally: I understand the demand and why ISC responded. I'm even sympathetic to trying to solve some of the problems that it attacks. But I hope this dies. DNS should be simply an honest name service. Access controls may be informed by DNS results, but need to be implemented at lower levels (e.g. IP address/port/protocol) to be effective. One way to help kill it is to encourage widespread adoption of DNSSEC, since modified responses will not validate. (Liars can't sign the responses with a key in the chain of trust.) But as the references that I provided show, there are other opinions/voices. NCSG could take a position on this (mis)use of DNS if there was a concensus. Getting to one might well be challenging... Timothe Litt ACM Distinguished Engineer --------------------------------------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. -----Original Message----- From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of Avri Doria Sent: Wednesday, November 23, 2011 10:40 To: [log in to unmask] Subject: Re: [NCSG-Discuss] [NCSG-Discuss] beyond take down Hi Timothe, What I have not been able to determine, with my cursory following of the IETF dnsext Wg is whether there are any IDs on this and if so what sort of track is it on. I looked at the ISC technical note <ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt> referred to in one of the slides, which while it looks like an ID, but saw no indication there either. The only related ID I see is : <http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00> Is this intended by ISC to be a defacto standard, separate from the IETF standards making process? Or am I missing ongoing work somewhere. avri On 20 Nov 2011, at 20:07, Milton L Mueller wrote: > > > -----Original message----- > From: Timothe Litt <[log in to unmask]> > To: Milton L Mueller <[log in to unmask]> > Sent: Sun, Nov 20, 2011 17:37:39 GMT+00:00 > Subject: RE: [NCSG-Discuss] beyond take down > > Does anyone on this list know more about the way BIND is being amended to allow the "rewriting" of DNS answers? Jorge? Timothe? > > > Yes. Recent versions of BIND (starting I think with 9.8) have a feature called RPZ = Response Policy Zone. It is rather controversial. > > The intent was to make it possible for enterprise customers to block websites (and other protocols relying on DNS) according to some policy - typically known malware and/or non-work sites. It doesn't work with DNSSEC. It has some potential for abuse by ISPs. As ISC tells the story, this was implemented because of (bind) customer demand, not because ISC thinks it's a good idea. > > Here are some references: > > http://www.isc.org/community/blog/201007/taking-back-dns-0 > > http://www.isc.org/files/TakingBackTheDNSrpz2.pdf > > http://www.isc.org/community/blog/201103/blocking-dns > > > I will refrain from editorial comment - except to note that DNS is not a particularly good place to implement a blocking policy. > > > Timothe Litt > ACM Distinguished Engineer > --------------------------------------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of > Milton L Mueller > Sent: Sunday, November 20, 2011 12:10 > To: [log in to unmask] > Subject: Re: [NCSG-Discuss] beyond take down > > Does anyone on this list know more about the way BIND is being amended to allow the "rewriting" of DNS answers? Jorge? Timothe? > From: NCSG-Discuss [mailto:[log in to unmask]] On Behalf Of > William Drake > Sent: Sunday, November 20, 2011 10:22 AM > To: [log in to unmask] > Subject: [NCSG-Discuss] beyond take down Hi > > As discussed on our call the other night, some of the key developments > from a global public interest standpoint go beyond GNSO & ICANN > policies but we might still consider whether there's grounds for > useful NC engagement. > > & BTW Monika quotes Wendy in the below... > > http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-close > r-to-the-core-of-the-internet/print/ > > Filtering and Blocking Closer To The Core Of The Internet? > By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00 > pm > > > With protests against draft US legislation like the Stop Online Piracy > Act (SOPA) and the Protect IP Act ongoing and the European Parliament > voting o >