[dns-operations] new public DNS service:

Paul Vixie paul at redbarn.org
Thu Nov 23 18:11:48 UTC 2017

Matthew Pounsett wrote:
> On 22 November 2017 at 14:20, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
>     i think spamhaus RPZ is free for individual/noncommercial use, for
>     example. if there was interest, farsight would consider something
>     similar for NOD RPZ.
> SpamHaus's pricing page does not lead me to that conclusion. I think any
> individual looking at that list will see that everyone except rpzone.us
> <http://rpzone.us> says "contact us for a quote", conclude that there is
> no service designed for individuals, and move on.

that's unfortunate. i suggest reaching out yourself, and letting us know 
(both here, and at hostmaster at dnsrpz.info) what you find.

however, your point is more broadly applicable. "free" never is. most of 
the old RBL's were free for individual use, because the cost was low 
(zone transfer was only available for a fee) and the benefit was high 
(the queries to the RBL's published DNS servers were valuable in terms 
of telling the RBL what servers were trying to send e-mail "right now"). 
none of those economics carries over to RPZ, which is only useful as a 
zone transfer.

so, please join me for a thought experiment. let's say that you and i 
and our circle of trusted friends wanted to crowd-source an RPZ. this 
group of people is able to understand the RFC 2136 protocol and can be 
trusted to only add RPZ entries for great and good reasons. we would 
each contribute our updates, we would all share in the outcomes. if you 
want to do this, i'm totally "in"!

however, this would not create a "free RPZ", for three reasons.

first, zone transfer is required, which is either open to the world, or 
restricted by TSIG. if open to the world, then bad guys could subscribe 
to it and learn more than i want them to know about what i can see and 
what i can do about what i see. this would be an intelligence leak that 
i wouldn't tolerate. i would stop sending updates to the shared RPZ. if 
there is a TSIG restriction on zone transfer, then we have the burden of 
vetting each free user, and the risk of getting it wrong occasionally.

second, support would be required. if we allowed free zone transfers in 
any form, then the people receiving them would occasionally configure 
their servers incorrectly (wrong TSIG key for example) and would see 
occasional network-level outages as being RPZ zone transfer outages, and 
would report the former as if they were the latter. we would have the 
burden of receiving, investigating, and answering these reports.

third, there would be liability. anyone who found their network 
identifiers listed, either because they could see a zone transfer, or 
because they investigated DNS lookup failures and learned about this 
RPZ, would at least consider a lawsuit when enumerating recourse.

so, i'd still do it, because i'm a little bit crazy, and i have often 
found a way to succeed where all theory predicts failure. but you should 
not want to participate, because you may not be crazy enough.

without the benefit of seeing what lookups are occurring, and without a 
commercial upsell opportunity, i don't know how anybody would fund the 
operation of a free RPZ.

thus, my surprise and delight about:


P Vixie

More information about the dns-operations mailing list