Dropsafe

by Alec Muffett

Somebody asked what’s so scary about RPZ?

@pmoriarty asks “What’s so scary about RPZ?” in reference to a couple of tweets of mine regarding DNS reputation blacklisting.

So I’ll try to phrase a response. It’ll take more than 140 characters.

First up, I want to be clear about the terms of the question – this is not a technical crit of RPZ, it’s certainly not a crit of Vixie for whom I have enormous respect – although we’ve not met since Ranum and my getting dreadfully drunk at some Monterey USENIX bash in the mid 90s and my listening to MJR and Vixie hammering out some obscure point of trust, leaving me with an impression of Paul being a paragon of earnestness.

The question is: what are my fears, regarding RPZ. So I shall be brief, but in round terms my concerns are these:

Infinite Space Whackamole
DNS is a potentially infinite space, certainly potentially (actually?) larger than IPv4. If I took the contrary position of “what if we went to a whitelist-only system?” – I believe the proposition would be declared unworkable due to its complexity and communication-inhibiting nature; from this we can establish that any significant amount of declaring who is “good” and who is “bad” makes for an unworkable solution irrespective of who does it, an issue which equally affects blacklisting.
Empirical Sensation
Twice, now, I’ve had to deal with some idiot security company blacklisting my security-themed blog as a “hacking” website, and preventing several of my friends reaching it/me, so that they have to resort to Twitter and Facebook to let me know there’s a problem. The cleanup/appeals procedure is atrocious, and would be worse if my key resource (my domain) was blacklisted. I have no reason to believe DNS blacklisting will be better administrated.
The Law of Unintended Consequences
Witness 1) Wikipedia and 2) the sort of stuff that happens because of the IWF which I am sure some day some politician will try to use to their benefit; it would be better if such a structure did not exist
WTF? – a subclass of the previous
Vixie writes: “Most new domain names are malicious“; as Wikipedia would say that’s a matter of “[citation needed]” but also I wonder what’s being got-at here; yes I have suffered any number of redirects through u43vbs1egs.com to www.viagrascammers.com, but banning them just means they’ll all just move to GMail or Picasa.

So – whitelists? blacklists? What’s my choice?

I choose neither, I express a preference for “everybody learning to live in a world where spam, fraud and other forms of shit, exist”; and if they don’t like that then it’s their tough luck.

But these are my fears. You asked. 🙂

Comments

2 responses to “Somebody asked what’s so scary about RPZ?”

  1. Nick Palmer

    “Most new domain names are malicious“? Not merely a citation needed; the statement is a logical nonsense in that it imputes intention (malice) to an entity (domain name) incapable of forming it. I am reminded of the otherwise admirable John Humphries referring to “beasts of guns” while sparring with a representative of (IIRC) the BSSC on the handgun ban. The malice may be a problem, but by focussing on the domain name registered by a person with malicious intent rather than upon the person (and thus the malice), one’s surely missing the point?

    Reply
  2. Simon

    Elliott Noss commented on CircleID that his data do not support the “most new domain names are malicious” claim, and this would be more Elliott’s domain than Paul’s.

    Whilst I criticized AOL for trying it once, I think for email a whitelist will soon need to exist just to protect genuine mail servers from badly behaved botnets. A whitelist isn’t the right solution, indeed the only workable long term solution for that issue, is to dismantle the botnets. That won’t happen till we start shuffling liability around onto someone, and whoever it lands on (ISPs? OS vendors? End users?) it will hurt.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts