IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Dan Wing <danwing@gmail.com> Wed, 10 November 2021 17:42 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F157A3A11EF for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 09:42:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jbKdsosKQaQH for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 09:42:48 -0800 (PST)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBFF43A11E8 for <add@ietf.org>; Wed, 10 Nov 2021 09:42:48 -0800 (PST)
Received: by mail-pf1-x42f.google.com with SMTP id n85so3278199pfd.10 for <add@ietf.org>; Wed, 10 Nov 2021 09:42:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KG2eGaSKf7Xgl97PEDWLBagKQrKK1IIiMb9engpTWc0=; b=LFAfTITdfL5aHwIQgiVRKHWncAcZlnl7/RaXrdKshFD3t3hhWq/+Cm9VZttsZvOVzM P26UA5zsMQQk8ywBhX+PfU+/z3RV3cF5A5dE68hYv5DpcR3dQbEYvszdmCEwwloVLZ5R IWkZZiA2z8W8CtbskDGrqFZVsr5sAe9tkJ029l4htPyGtzwlqeaIPlgr+tGaEB3SWCAo 6Ey2xjdD/Dy6XceSrJtanGsN5jR5yymONShmvabZ4NtIM63Q58dzpvHWlYXT5j8kJtX3 eDezNZaNeTTwceGQXi5Y2BJhYGrPQpNYZKkZXtzf59999H+QNJL2qej5WjweozX42dus 0ZMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KG2eGaSKf7Xgl97PEDWLBagKQrKK1IIiMb9engpTWc0=; b=OHHjwu2TIBmqyhtDS8nuWWF3U9ixLJlmrF79bLTxuK398jFVXXkJ3HbnLPzt7/HBsU v2BpoNEQz0UqRfoXCeOrDbUGR5qgeX0e1wBlKBe2PBOzjWek4DKT+fcUqOgAHPLqYD4s qnnK57dfHPEP5DaeibnrkW2jVb6YywMlpKeDi+j4ALmwwZEH/JyVfUGh6T6M3J1IOn5Q aoVDTSTmouZ5qs/pe7RgDGeB/Od+Gm/B/ajkA9ICUwFFTcG2f3Fhg4TKRY0R9o6mfsqP 5LQobHd2wmchi3STQcleKukIPE2jkkVd5TwTQPnhGVnWPa89nzqVWBc3VHrwnUnIy8Nf roLg==
X-Gm-Message-State: AOAM532qveKS6xInVxlGID0p+Njc/1sHj477YUvALc8P3w6NvAX40hsK KKVoh6pVGnlLWnRVc72p4B00KdIYIEI=
X-Google-Smtp-Source: ABdhPJzBOVVjMjyQRWsLc6T2Upi2RmvfTKvziR03QlnllRZQdhpcZBmE4GghF0OOtIRYE5jox1SUfg==
X-Received: by 2002:a63:c09:: with SMTP id b9mr347331pgl.365.1636566167731; Wed, 10 Nov 2021 09:42:47 -0800 (PST)
Received: from smtpclient.apple (47-208-218-46.trckcmtc01.res.dyn.suddenlink.net. [47.208.218.46]) by smtp.gmail.com with ESMTPSA id s6sm302384pfu.137.2021.11.10.09.42.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Nov 2021 09:42:47 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <c999a1c7-a8e-2f94-10f9-5342ff4fc696@nohats.ca>
Date: Wed, 10 Nov 2021 09:42:44 -0800
Cc: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, "add@ietf org" <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BE29E9B2-5B3C-4B7B-9E61-91F15737942F@gmail.com>
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <c999a1c7-a8e-2f94-10f9-5342ff4fc696@nohats.ca>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Nyb1HpGpNoHqkmolBvxJbnYAmgw>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 17:42:53 -0000

On Nov 9, 2021, at 3:09 PM, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> wrote:
...
> I have been at a hotel chain that blocked priceline.com. Coffeeshop
> wifi might prevent certain domains to prevent things like Google Meet
> or other domains that make people use a lot of bandwidth and stay very
> long. Schools might grab facebook to block it. While I think network
> owners should be able to dictare terms on their clients, I don't think
> the current ADD split-dns is the right mechanism for that.
> 
> And then we have the issue of this document of split DNS having a run-in
> with censorship, either by nationstate or as a security service. In
> those cases, the goal is to take over all DNS for the protection of the
> user. When that happens, it overrides the split-dns network configuration.
> But of course, enforcing of that is impossible and a race of DoH against
> the administrator ensures.

The split-dns draft does not enable such blocking, except by the domain owner of priceline.com, facebook.com.  That is, the hotel could not use split-dns to block priceline.com.  That is exactly the attack the query to the public DNS prevents.  During Q&A, I was encouraged to document that attack and how it is mitigated better.  We plan to add that explanation to an updated version.

...
> Putting a solution in the stub would be good.  I think ADD can specify something
> here, but it would really be part of (and authenticated by) the enterprise
> provisioning. Which could be as simple as a URI via DHCP option to a signed
> list by a CA that I installed. I am not sure dancing around in different
> DNS views would be particularly useful. And it would still allow
> outsiders to see those public DNS queries which are supposed to remain
> private. And I still don't understand the updates to the document from
> this Monday, that adds some packet flaw images, but no DNS query
> information. I still don't understand it :(

RFC8801's PvD are doing that (albeit using IPv6 RA rather than DHCP as you suggest).  I am not a fan of the IPv6 requirement for RFC8801's PvDs.  Enterprises continue to avoid deploying IPv6 internally.  

The current split-dns document validates the PvD returned by querying public DNS.  If that validation fails, the dnsZones claim in PvD is considered bogus ("lying") by the split-dns document.


This conversation is giving me another idea which I will explore next week.

-d

v2.23.0 | Report a Bug | By Email