ISC Offers Response Policy Zones For DNS 39
penciling_in writes "ISC has made the announcement that they have developed a technology that will allow 'cooperating good guys' to provide and consume reputation information about domain names. The release of the technology, called Response Policy Zones (DNS RPZ), was announced at DEFCON. Paul Vixie explains: 'Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. ... If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider. ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.'"
Could this be used for political purposes? (Score:2, Insightful)
I'd hate to see what governments do with this technology or rival corporations. Who's to say that Comcast won't make Rural Town's USA's coop appear to be a site with a negative reputation.
Bad, bad idea (Score:5, Insightful)
I have a lot of time for Paul Vixie, but in this particular case he has come up with a bad idea. This should absolutely not be handled in DNS. There are plenty of reputation-based schemes already in operation for per-protocol black or white listing which work as well (and as badly) as any such scheme can do. There is no need to drag it down to the core, polluting DNS with yet more protocol shenanigans as we do so.
DNS was always a simple protocol which did one job and did it well. Please stop trying to expand it to solve problems which have already been solved (by those who wish to do so) elsewhere.
Re:Bad, bad idea (Score:3, Insightful)
Well, at least you always have the option of querying the root servers directly. Surely they won't have this enabled.
Re:Is this really a great feature? (Score:3, Insightful)
It doesn't just prevent the name from resolving, though. It will also return the fact the query was blocked by RPZ via a STATUS code. At that point, I think it should be up to the application, such as the browser, which is causing the DNS query, to read the STATUS code for the query and provide the appropriate message, such as "server not found" in response to a query with an NXDOMAIN status.
I actually think this is pretty cool and am excited about it, although I suspect that I'm in the minority on this here. Just pretend I said something scary about evil corporate overlords or fascists or whatever.
Re:A question that comes to mind... (Score:3, Insightful)
Aren't CAs establishing (at best) identity and not reputation?