Re: [DNSOP] proposal: Covert in-band zone data
Witold Krecicki <wpk@isc.org> Fri, 02 August 2019 17:24 UTC
Return-Path: <wpk@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB69120750 for <dnsop@ietfa.amsl.com>; Fri, 2 Aug 2019 10:24:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id juGAyy5OxSP6 for <dnsop@ietfa.amsl.com>; Fri, 2 Aug 2019 10:24:44 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047EC1201AA for <dnsop@ietf.org>; Fri, 2 Aug 2019 10:24:44 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id A49643AB008; Fri, 2 Aug 2019 17:24:43 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 8C604160055; Fri, 2 Aug 2019 17:24:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7BDA216008D; Fri, 2 Aug 2019 17:24:43 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Mfp4RxWjvUYv; Fri, 2 Aug 2019 17:24:43 +0000 (UTC)
Received: from [192.168.69.142] (unknown [31.179.189.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 6D5BC160055; Fri, 2 Aug 2019 17:24:42 +0000 (UTC)
To: Joe Abley <jabley@hopcount.ca>
Cc: Paul Ebersman <list-dnsop@dragon.net>, dnsop@ietf.org
References: <20190706213024.GA56650@isc.org> <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org> <CAN6NTqymm6+OMet0sMZC0Ms5E_5mj_nwONk3fR19HwgWXYNB4Q@mail.gmail.com> <alpine.LRH.2.21.1907251332070.10708@bofh.nohats.ca> <20190725183051.33DA315BFD9D@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907301916050.7062@bikeshed.isc.org> <20190730200859.A424215E6AD4@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907302009500.7062@bikeshed.isc.org> <20190730201628.1496015E6BFA@fafnir.remote.dragon.net> <2b2a0e4d-3720-b88c-6377-195117896e8f@isc.org> <20190802143247.A9E251601056@fafnir.remote.dragon.net> <91c0669e-66b5-05d6-d788-59aea804a13e@isc.org> <3CBF15C5-8378-45B5-BF25-ACB014A2788D@hopcount.ca>
From: Witold Krecicki <wpk@isc.org>
Message-ID: <0eb7b1db-33d8-f776-02f6-2e4a722b96b1@isc.org>
Date: Fri, 02 Aug 2019 19:24:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <3CBF15C5-8378-45B5-BF25-ACB014A2788D@hopcount.ca>
Content-Type: text/plain; charset="windows-1252"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6jKx2vlrtb8u2TW0BjTEBtoOOpY>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 17:24:46 -0000
Hello Joe, W dniu 02.08.2019 o 18:28, Joe Abley pisze: > Hi Witold, > > On 2 Aug 2019, at 10:46, Witold Krecicki <wpk@isc.org> wrote: > >> They should fail to load the zone as it will contain RRs that it does >> not understand. As long as they won't serve covert records to general >> public - I don't really care. > > Standard behaviour is to handle opaque types. You're speculating about the broad range of possibly non-standard behaviour and deciding that anything that is non-standard will exhibit one particular kind of behaviour. I think that's the opposite of what we would normally attribute to "non-standard". An implementation won't be able to load a covert RR from a masterfile because it won't understand it's TYPE field - it'd either be a specific COVERT type (which has to be supported to be loaded) or an opaque COVERTNNNNN - as a replacement for RFC3597 TYPENNNNN (it's not in the -00, I talked about it during presentation). Yes, the operator can write a COVERT type as RFC3597 TYPENNNNN and load it into a server that does not support COVERT. Operator can also put his private DNSSEC keys into a TXT records - there always will be a chance of footshooting, no matter how perfect the standards or implementations. > I continue to think that taking a protocol (DNS) and deployed implementations (nameservers) that are designed to answer queries and trying to bolt on a backwards-compatible mechanism for carrying data that is not exposed by queries is just a recipe for data leakage. Any data that is really intended not to be disclosed cannot use a mechanism that is almost guaranteed to leak, which means that this proposed mechanism has no real use case. We already have records that cannot be directly queried (NSEC5), implementations don't have any problems with not responding to direct NSEC5 queries. Thinking this way we should never use DNSSEC (or HTTPS) because a bug in implementation can cause private keys to leak. Also, this mechanism is not backwards compatible - a server not supporting COVERT records won't be able, in any way, to serve a zone that has COVERT records - it won't be able to load the zone (reasons stated above), it won't be able to transfer the zone from a COVERT-supporting primary (because it won't send COVERT-OK EDNS0) option, I'm thinking about putting a requirement that binary formats (bind9 mapfile/journal) must also be incompatible with non-COVERT-supporting versions. > I am not in favour of this proposal, which I think is camel abuse. Looking at what's happening recently at DNSOP everyone is abusing labeling everything they don't like a 'camel abuse', it's getting dangerously close to being just a pure insult... Witold
- [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Brian Dickson
- Re: [DNSOP] proposal: Covert in-band zone data Richard Gibson
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Bill Woodcock
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data jabley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Tony Finch
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Matthew Pounsett
- Re: [DNSOP] proposal: Covert in-band zone data Samuel Weiler
- Re: [DNSOP] proposal: Covert in-band zone data Ólafur Guðmundsson
- Re: [DNSOP] proposal: Covert in-band zone data Paul Wouters
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Tim Wattenberg
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Mark Andrews
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data JW λ John Woodworth