[dns-operations] new public DNS service: 220.127.116.11
paul at redbarn.org
Thu Nov 23 18:11:48 UTC 2017
Matthew Pounsett wrote:
> On 22 November 2017 at 14:20, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
> i think spamhaus RPZ is free for individual/noncommercial use, for
> example. if there was interest, farsight would consider something
> similar for NOD RPZ.
> SpamHaus's pricing page does not lead me to that conclusion. I think any
> individual looking at that list will see that everyone except rpzone.us
> <http://rpzone.us> says "contact us for a quote", conclude that there is
> no service designed for individuals, and move on.
that's unfortunate. i suggest reaching out yourself, and letting us know
(both here, and at hostmaster at dnsrpz.info) what you find.
however, your point is more broadly applicable. "free" never is. most of
the old RBL's were free for individual use, because the cost was low
(zone transfer was only available for a fee) and the benefit was high
(the queries to the RBL's published DNS servers were valuable in terms
of telling the RBL what servers were trying to send e-mail "right now").
none of those economics carries over to RPZ, which is only useful as a
so, please join me for a thought experiment. let's say that you and i
and our circle of trusted friends wanted to crowd-source an RPZ. this
group of people is able to understand the RFC 2136 protocol and can be
trusted to only add RPZ entries for great and good reasons. we would
each contribute our updates, we would all share in the outcomes. if you
want to do this, i'm totally "in"!
however, this would not create a "free RPZ", for three reasons.
first, zone transfer is required, which is either open to the world, or
restricted by TSIG. if open to the world, then bad guys could subscribe
to it and learn more than i want them to know about what i can see and
what i can do about what i see. this would be an intelligence leak that
i wouldn't tolerate. i would stop sending updates to the shared RPZ. if
there is a TSIG restriction on zone transfer, then we have the burden of
vetting each free user, and the risk of getting it wrong occasionally.
second, support would be required. if we allowed free zone transfers in
any form, then the people receiving them would occasionally configure
their servers incorrectly (wrong TSIG key for example) and would see
occasional network-level outages as being RPZ zone transfer outages, and
would report the former as if they were the latter. we would have the
burden of receiving, investigating, and answering these reports.
third, there would be liability. anyone who found their network
identifiers listed, either because they could see a zone transfer, or
because they investigated DNS lookup failures and learned about this
RPZ, would at least consider a lawsuit when enumerating recourse.
so, i'd still do it, because i'm a little bit crazy, and i have often
found a way to succeed where all theory predicts failure. but you should
not want to participate, because you may not be crazy enough.
without the benefit of seeing what lookups are occurring, and without a
commercial upsell opportunity, i don't know how anybody would fund the
operation of a free RPZ.
thus, my surprise and delight about:
More information about the dns-operations