[dns-operations] new public DNS service:

Paul Vixie paul at redbarn.org
Thu Nov 23 23:17:43 UTC 2017

Matthew Pounsett wrote:
> On 23 November 2017 at 13:11, Paul Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
> ...
>     however, your point is more broadly applicable. "free" never is. ...
> The reason I excluded rpzone.us <http://rpzone.us> above is that they
> charge in tiers by the query, which implies that, rather than provide an
> RPZ feed, they provide an RDNS service similar to the RBLs.

rpz does not work that way. as in, no implementation works that way, and 
that methodology is undefined, and is nowhere recommended. so, i think 
we must be misunderstanding how their tiers work.

> ...
> Your point is well taken, and leaves me still unable to connect the dots
> between what I read as advocating for individual resolvers and
> advocating for RPZ.  The two appear to be in conflict.  Have I misread
> your intent on either subject?

no, you're seeing it clearly. i strongly aver that running your own RDNS 
is valuable even if you prefer the kind of anti-malware filtering that 
opendns has done for ten years and that quad9 is doing today. it is 
better for you to go without filtering you want, then use an off-LAN and 
off-campus RDNS, no matter what filtering it offers.

however, let's extend this out two more steps. say you'd like filtering, 
you need filtering, you can't deploy without filtering, and if nec'y to 
get filtering, you will externalize your RDNS rather than run a local 
RDNS without filtering. i don't know how many people are in this 
position; clearly has no filtering and is quite popular, so 
these waters are muddy.

but under those conditions, if you won't deploy your own local RDNS, and 
using RPZ, import some filtering feeds, because it is not free, then you 
are not paying nothing -- you're just paying in non-cash. if you were 
willing to pay in cash, then someone like threatstop who has an RPZ 
blending machine, would almost certainly be willing to create an 
individual subscriber tier for you. but they can't do it for zero-cash. 
opendns and quad9 can; whatever benefit they get isn't from your cash. 
you should be thinking your way around through that underbrush before 
you decide where you should stand.

i said two steps. here's the second one. if you would prefer to run your 
own RDNS with filtering, but you can't at the moment because there is no 
DNS RPZ that appears to be sized and sold for your use case, then how 
will you signal your interest? i predict that "just use opendns and get 
their filtering for free" as well as "just use quad9 and get their 
filtering for free" will not incentivise anybody, anywhere, ever, to 
build an RPZ that's sized and sold for your use case. so by taking the 
quicker, easier way out, you'd be working against your own longer term 
best interests. i always advise against that when i see it happening.

> I'm strongly in favour of individuals running their own DNSSEC
> validators, but until this email had no way to reconcile that with
> widespread RPZ use.

first, use what the libertarians call "your dollar votes", wisely.

second, consider how we might crowd-source a solution to this problem.

P Vixie

More information about the dns-operations mailing list