ISC Offers Response Policy Zones For DNS

penciling_in writes "ISC has made the announcement that they have developed a technology that will allow 'cooperating good guys' to provide and consume reputation information about domain names. The release of the technology, called Response Policy Zones (DNS RPZ), was announced at DEFCON. Paul Vixie explains: 'Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. ... If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider. ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.'"

Bad, bad idea

[6031769]

I have a lot of time for Paul Vixie, but in this particular case he has come up with a bad idea. This should absolutely not be handled in DNS. There are plenty of reputation-based schemes already in operation for per-protocol black or white listing which work as well (and as badly) as any such scheme can do. There is no need to drag it down to the core, polluting DNS with yet more protocol shenanigans as we do so.

DNS was always a simple protocol which did one job and did it well. Please stop trying to expand it to solve problems which have already been solved (by those who wish to do so) elsewhere.

A question that comes to mind...

[Yaa+101]

Are we satisfied of that other reputation system called SSL certificates?

oh, and follow-up

[bsDaemon]

it looks like you can also define policy in the RPZ zone so that the domain you're trying to block can pointed to a web server were you have a block message up, presumably describing the policy reason that the site is being listed.

additionally, there is no requirement that says one must subscribed to a Spamhause-style service, that's just a hypothetical option. Besides, if your recursive DNS servers are blocking stuff you want to get to anyway, you can choose different ones, or set up your own. Setting up BIND as a recursive DNS server is ridiculously easy, and you can ignore RPZ zones to your hearts content then.

Re:Could this be used for political purposes?

[N0Man74]

First of all, didn't they say that the reputation would be determined by "cooperating good guys"? Since when has Comcast ever been described as "cooperative", or "good"? ;-)

But seriously, reputations aren't usually vetoes where one person can blackball a server, are they? I would imagine that they would realize that it would be a waste of time, given that all of the other "good guys" would collectively carry too much weight for one entity to effectively sabotage.

I also imagine that they'd realize that this would be a good way to lose credibility as a "good guy", and maybe have it revoked.

Hopefully the same principal would apply on the other end if a "non-good guy" gets in the system in order to push bad sites.

I seriously doubt it will be a magic bullet, but it might help.