[RPZ] RPZ seen at MAAWG
jeffc at surbl.org
Fri Oct 8 19:16:41 UTC 2010
On Wednesday, October 6, 2010, 7:54:31 AM, Eric Ziegast wrote:
> I gave a pretty good presentation at MAAWG for RPZ. Jonathan thanked
> me. Ferg gave me a great intro. A few people thought it was a really
> good talk - even someone who thought he knew everything about RPZ
> already told me that could not look down at his laptop when I talked.
It was a great talk. I was hoping for more outrage. ;)
I'm a bit outraged, being another old timer, but I see too much
badness on the Internet these days to be opposed. At this point,
RPZ should help more than it hurts.
> Unlike the DNSSEC talk, I was the expert here.
Don't feel bad. Larry lacked some info about IPv6 abuse issues
until Raymond gave him a briefing before the v6 abuse panel.
OTOH Larry has not much problem talking.
> Here are a few things
> that need to be addressed:
> #### Directing removals
> $ dig www.SOMEDOMAIN.BAD a @nsa.vix.com
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13342
> ;; QUESTION SECTION:
> ;www.SOMEDOMAIN.BAD. IN A
> ;; AUTHORITY SECTION:
> rpz.surbl.org. 180 IN SOA dev.null. zone.surbl.org. (
> 1286371502 180 180 604800 180)
> Ok, so www.mecom.ae is in the SURBL RPZ. If I were mecom.ae, how
> would I get off? Where do I go? Knowing a DNS RFC about SOA racords,
> you might email <zone at surbl.org>. Should we create some other
> standard? like have a TXT record at the base of the zone that people
> can use to figure out where to go (website, phone number, etc.)?
Yes, there probably should be a reference, URL of the list
maker maybe? We include www.surbl.org in the TXT record of our
I could change the SOA from zone.surbl.org to whitelist.surbl.org
where whitelist at surbl.org is our removals role account. It might
die under the spam load if we did that though.... :( :( :(
I like URL best. It's harder to spam bomb a web site or add it
to "opt in" mailing lists.
> #### ISC does not publish any RPZ or give perception of publishing
> 2.2. The remainder of the zone is expressions of DNS policy.
> The owner name of a Response Policy Zone resource record set
> (RRset) is the relativised name of the domain name about which
> policy is being expressed. For example, in a policy zone called
> RPZ.ISC.ORG, an RRset at WWW.VIX.COM.RPZ.SIE.ISC.ORG would affect
> responses to lookups of WWW.VIX.COM. DNS RPZ RRset owner names
> can be wildcarded according to normal rules, for example
> *.VIX.COM.RPZ.ISC.ORG would affect responses for any subdomain of
> VIX.COM. This means that in order to affect both a domain and
> its subdomains, policy must be entered for both that domain and
> its wildcard subdomain.
> Let's find something else beside ISC.ORG. With Jeff's blassing, maybe
> we can use SURBL here or some other willing participant (eg: just
> RPZ.VIX.COM or some other straw-man domain).
example.com is fine, though we'd welcome the mention of surbl of
course. The former may be more vendor neutral.
> #### SuperWildcard
> The limitation of wildcard records could be an issue. I one lists:
> mecom.ae.@ IN A .
> *.mecom.ae.@ IN A .
> How does one take care of www.qatar.mecom.ae without specifically
> listing *.qatar.mecom.ae in the zone? Do we need a Super Wildcard
> capability in zone file specifications that matches all sub-domains?
> not just the current level?
Um, I was hoping * *was* the superwildcard. As Marc hints, I
think it's definitely needed.
Actually a super wildcard that included the parent domain would
be extremely handy. If it existed, then the example above could
be collapsed to:
*.mecom.ae.@ IN A .
which would halve the size of the zone file. Vix indirectly
commented on this privately.
FWIW, mecom.ae perhaps should not be blacklisted. They were
a minor site that's massively spamming, but may have legitimate
uses. I may remove them yet.
> #### A website
> Directing people to the Vixie Blog just isn't scalable. Perhaps I
> should setup a sub-site off http://www.isc.org/solutions and include
> presentation material?
> #### Who's implementing?
> I told someone that I will be speaking again at ISOI 8, and that I
> will have a list of RPZs that advertise themselves on this mailing
> list, and that I will have an update on software that supports RPZ or
> has plans to support RPZ. It would be great if everyone was willing
> to implement RPZ technology into their products. Once someone sees
> the BIND source diffs and understand the specs, I expect that they'll
> realize it's not hard. Commercial DNS software might already have a
> similar capability, and as long as they can import an RPZ zone and
> make their product work similarly, they're part of the ecosystem. If
> some vendors choose not to participate, their lack of presence will be
> "interesting" to those that provide RPZ-enabled services.
I'd bet that Nominum already has a similar functionality, so I'd
guess it would not be too hard for them to add RPZ support. In
fact, I'd recommend they do.
mailto:jeffc at surbl.org
More information about the DNSfirewalls