[DNSOP] proposal: Covert in-band zone data
Evan Hunt <each@isc.org> Sat, 06 July 2019 21:30 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8A021200EF for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 14:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c960d6P98oPC for <dnsop@ietfa.amsl.com>; Sat, 6 Jul 2019 14:30:25 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283F81200EB for <dnsop@ietf.org>; Sat, 6 Jul 2019 14:30:25 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.1.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id DBA893AB001 for <dnsop@ietf.org>; Sat, 6 Jul 2019 21:30:24 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 9B979488D7; Sat, 6 Jul 2019 21:30:24 +0000 (UTC)
Date: Sat, 06 Jul 2019 21:30:24 +0000
From: Evan Hunt <each@isc.org>
To: dnsop <dnsop@ietf.org>
Message-ID: <20190706213024.GA56650@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1eioiuR7IOducIclzZl1knUH3_A>
Subject: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 21:30:27 -0000
Colleages, Some years ago, Dan Mahoney and I submitted a draft describing a proposed mechanism for storing confidential zone comments alongside normal zone data - a NOTE RR, which would be transferrable from primary to secondary servers, but not accessible to ordinary DNS queries. It generated some iniital interest, but not much momentum, and we let the proposal lapse. More recently, Witold Krecicki had a very similar idea for a mechanism to disseminate private key data between primary and secondary servers. We talked it over and decided to expand the NOTE record semantics into a generic method for storing and transferring covert in-band zone data. The generic mechanism is described in draft-krecicki-dns-covert-00. It calls for the allocation of a range of "Covert-RR" type code values, which would have restrictions on their dissemenination. A primary server implementing Covert-RR types must not allow them to queried, nor to be transerred to a secondary server unless that server indicates via an EDNS option that it *also* understands Covert record semantics and will not transfer the data to any peer that doesn't. The original NOTE RR draft has been shrunk down and rewritten as a proposed use case for Covert RR's. Additional use cases will be coming in the future; in particular, draft-pusateri-dnsop-update-timeout seems like it might be a good candidate. Details are below. Please have a look. Thanks! -------- Name: draft-krecicki-dns-covert Revision: 00 Title: Domain Name System (DNS) Resource Record types for transferring covert information from primary to secondaries Document date: 2019-07-06 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/internet-drafts/draft-krecicki-dns-covert-00.txt Status: https://datatracker.ietf.org/doc/draft-krecicki-dns-covert/ Htmlized: https://tools.ietf.org/html/draft-krecicki-dns-covert-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-krecicki-dns-covert Abstract: The Domain Name System (DNS) Resource Record TYPEs IANA registry reserves the range 128-255 for Q-TYPEs and Meta-TYPEs [RFC6895] - Resource Records that can only be queried for or contain transient data associated with a particular DNS message. This document reserves a range of RR TYPE numbers for Covert-TYPEs - types that are an integral part of the zone but cannot be accessed via a normal QUERY operation. Uses for such records could include zone comments that are transferrable with the zone, expiry times for dynamically updated records, or Zone Signing Keys for inline signing. This document, however, does not define any specific Covert RR types. -------- Name: draft-hunt-note-rr Revision: 02 Title: A DNS Resource Record for Confidential Comments (NOTE RR) Document date: 2019-07-06 Group: Individual Submission Pages: 4 URL: https://www.ietf.org/internet-drafts/draft-hunt-note-rr-02.txt Status: https://datatracker.ietf.org/doc/draft-hunt-note-rr/ Htmlized: https://tools.ietf.org/html/draft-hunt-note-rr-02 Htmlized: https://datatracker.ietf.org/doc/html/draft-hunt-note-rr Diff: https://www.ietf.org/rfcdiff?url2=draft-hunt-note-rr-02 Abstract: While the DNS zone master file format has always allowed comments, there is no existing mechanism to preserve comments once the zone has been loaded into memory or converted to a binary representation. This note proposes a new RR type "NOTE", to be allocated from the Covert-RR type range proposed in [I-D.krecicki-dns-covert], so that confidential comments can be stored alongside zone data, and included in zone transfers when Covert semantics are supported by the secondary.
- [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Brian Dickson
- Re: [DNSOP] proposal: Covert in-band zone data Richard Gibson
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Bill Woodcock
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data jabley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Tony Finch
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Matthew Pounsett
- Re: [DNSOP] proposal: Covert in-band zone data Samuel Weiler
- Re: [DNSOP] proposal: Covert in-band zone data Ólafur Guðmundsson
- Re: [DNSOP] proposal: Covert in-band zone data Paul Wouters
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Tim Wattenberg
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Mark Andrews
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data JW λ John Woodworth