[RPZ] RPZ seen at MAAWG

Jeff Chan jeffc at surbl.org
Fri Oct 8 19:16:41 UTC 2010

On Wednesday, October 6, 2010, 7:54:31 AM, Eric Ziegast wrote:
> I gave a pretty good presentation at MAAWG for RPZ.  Jonathan thanked
> me.  Ferg gave me a great intro.  A few people thought it was a really
> good talk - even someone who thought he knew everything about RPZ
> already told me that could not look down at his laptop when I talked.

It was a great talk.  I was hoping for more outrage. ;)

I'm a bit outraged, being another old timer, but I see too much
badness on the Internet these days to be opposed.  At this point,
RPZ should help more than it hurts.

>  Unlike the DNSSEC talk, I was the expert here.

Don't feel bad.  Larry lacked some info about IPv6 abuse issues
until Raymond gave him a briefing before the v6 abuse panel.
OTOH Larry has not much problem talking.

> Here are a few things
> that need to be addressed:

> #### Directing removals

>   $ dig www.SOMEDOMAIN.BAD a @nsa.vix.com
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13342
>   ;www.SOMEDOMAIN.BAD.                  IN      A

>   rpz.surbl.org. 180 IN SOA dev.null. zone.surbl.org. (
>                                  1286371502 180 180 604800 180)

> Ok, so www.mecom.ae is in the SURBL RPZ.  If I were mecom.ae, how
> would I get off?  Where do I go?  Knowing a DNS RFC about SOA racords,
> you might email <zone at surbl.org>.  Should we create some other
> standard? like have a TXT record at the base of the zone that people
> can use to figure out where to go (website, phone number, etc.)?

Yes, there probably should be a reference,  URL of the list
maker maybe?  We include www.surbl.org in the TXT record of our

I could change the SOA from zone.surbl.org to whitelist.surbl.org
where whitelist at surbl.org is our removals role account.  It might
die under the spam load if we did that though....    :(  :(  :(

I like URL best.  It's harder to spam bomb a web site or add it
to "opt in" mailing lists.

> #### ISC does not publish any RPZ or give perception of publishing

>  2.2. The remainder of the zone is expressions of DNS policy.
>    The owner name of a Response Policy Zone resource record set
>    (RRset) is the relativised name of the domain name about which
>    policy is being expressed.  For example, in a policy zone called
>    RPZ.ISC.ORG, an RRset at WWW.VIX.COM.RPZ.SIE.ISC.ORG would affect
>    responses to lookups of WWW.VIX.COM.  DNS RPZ RRset owner names
>    can be wildcarded according to normal rules, for example
>    *.VIX.COM.RPZ.ISC.ORG would affect responses for any subdomain of
>    VIX.COM.  This means that in order to affect both a domain and
>    its subdomains, policy must be entered for both that domain and
>    its wildcard subdomain.

> Let's find something else beside ISC.ORG.  With Jeff's blassing, maybe
> we can use SURBL here or some other willing participant (eg: just
> RPZ.VIX.COM or some other straw-man domain).

example.com is fine, though we'd welcome the mention of surbl of
course.  The former may be more vendor neutral.

> #### SuperWildcard

> The limitation of wildcard records could be an issue.  I one lists:
>    mecom.ae.@ IN A .
>    *.mecom.ae.@ IN A .

> How does one take care of www.qatar.mecom.ae without specifically
> listing *.qatar.mecom.ae in the zone?  Do we need a Super Wildcard
> capability in zone file specifications that matches all sub-domains?
> not just the current level?

Um, I was hoping *  *was* the superwildcard.  As Marc hints, I
think it's definitely needed.

Actually a super wildcard that included the parent domain would
be extremely handy.  If it existed, then the example above could
be collapsed to:

*.mecom.ae.@ IN A .

which would halve the size of the zone file.  Vix indirectly
commented on this privately.

FWIW, mecom.ae perhaps should not be blacklisted.  They were
a minor site that's massively spamming, but may have legitimate
uses.  I may remove them yet.

> #### A website

> Directing people to the Vixie Blog just isn't scalable.  Perhaps I
> should setup a sub-site off http://www.isc.org/solutions and include
> presentation material?


> #### Who's implementing?

> I told someone that I will be speaking again at ISOI 8, and that I
> will have a list of RPZs that advertise themselves on this mailing
> list, and that I will have an update on software that supports RPZ or
> has plans to support RPZ.  It would be great if everyone was willing
> to implement RPZ technology into their products.  Once someone sees
> the BIND source diffs and understand the specs, I expect that they'll
> realize it's not hard.  Commercial DNS software might already have a
> similar capability, and as long as they can import an RPZ zone and
> make their product work similarly, they're part of the ecosystem.  If
> some vendors choose not to participate, their lack of presence will be
> "interesting" to those that provide RPZ-enabled services.

I'd bet that Nominum already has a similar functionality, so I'd
guess it would not be too hard for them to add RPZ support.  In
fact, I'd recommend they do.


Jeff C.
Jeff Chan
mailto:jeffc at surbl.org

More information about the DNSfirewalls mailing list