[dns-operations] Can Root DNS server modify the response?

Paul Vixie paul at redbarn.org
Mon Apr 1 13:32:49 UTC 2019

apologies for the delay. i had to think about this for a bit.

David Conrad wrote on 2019-03-29 12:31:
>>> Wait. The person who co-created MAPS and co-authored RPZ that allows 
>>> for the blocking of entire TLDs is unhappy because he’s being lumped 
>>> in with groups he has no relationship with?
>> yes. i think you must think that customers of blacklisted providers 
>> have no relationship with those providers. 
> You missed the point of my question. I found it ironic that you 
> expressed unhappiness about technology that implicitly finds you (as a 
> network infrastructure provider) guilty by association while having 
> co-developed technologies that can have the same effect on others (e.g., 
> using RPZ to block entire TLDs because a registrar of those TLDs sold 
> “too many” domains that were used for spam).

there is some truth at the bottom of that pile. i co-invented (with eric 
ziegast) the first distributed reputation system, RBL; i co-invented 
(with vernon schryver) the RPZ system which applies the RBL's concepts 
to DNS lookups. and to your point, the use of these technologies has 
caused collateral damage to nonpartisans.

my cause for questioning your irony is that there was and is always a 
relationship between the target of reputation-based blocking by RBL or 
RPZ (or other systems such as jeff chan's RHSBL construct), and those 
who are unduly (collaterally) affected such blocking, who in their turn 
have the option of changing their business relationships to avoid 
further undue (collateral) damage.

so it was your "no relationship with those providers" qualification that 
caused me to dismiss the comparison between RBL/RPZ on one hand, and DoH 
on the other hand. every network operator will be affected by the IETF's 
decision to standardize an operator-hostile naming technology. none of 
us will be able to avoid this damage by replacing any relationship we have.

i have always sought to minimize collateral damage in my reputation 
work. other reputation workers who came later have taken the opposite 
approach. i think i understand the root cause of general confusion about 
operator-centric vs. user-centric defense and bypass technologies, and 
i'll write about that elsewhere. for now, i'm just going to clarify, 
which means in the case of "no relationship with", i object.

>> the fact that i must now keep either a whitelist of HTTPS endpoints 
>> which do not support DoH, or a blacklist of HTTPS endpoints which do, 
>> and use SOCKS to handle the difference between the sets, is a cost i 
>> resent -- and it has nothing to do with you as a visitor or customer.
> I get that you resent the costs, just as I know a number of network 
> operators resented the costs imposed to deal with the fact that their 
> traffic was being intercepted for pervasive surveillance and a number of 
> users resented the fact that the DNS servers they talked to lied (etc). 
> As mentioned, I see DoH as an unsurprising outcome of the reality of 
> Internet infrastructure. Yes, there are other options that could have 
> been used to address the lack of trust in the infrastructure. I gather 
> the folks deploying DoH as they are felt DoH was more deployable. Also 
> as mentioned, I suspect the next step in the arms race will be for 
> infrastructure providers to force their users to install certs and 
> implement DPI to block/modify the stuff that happens on their network 
> (“my network, my rules”). And then then we loop again with some other 
> technology/abomination. Unfortunately, I don’t see a way out of the loop.
> However, since I’m looping myself, I’ll let you have the last word.

as to your description of probable motives, i think it's incomplete but 
true as far as it goes. as to your assessment of the likely unending 
game of one-up-man-ship, i sadly but fully agree. as to your desire that 
we end this thread, i am, like you, ready.

P Vixie

More information about the dns-operations mailing list