Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
Mukund Sivaraman <muks@isc.org> Fri, 30 December 2016 12:25 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02B91295B7 for <dnsop@ietfa.amsl.com>; Fri, 30 Dec 2016 04:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0BWVw3zyXMe for <dnsop@ietfa.amsl.com>; Fri, 30 Dec 2016 04:25:58 -0800 (PST)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id 2DBA31294D6 for <dnsop@ietf.org>; Fri, 30 Dec 2016 04:25:58 -0800 (PST)
Received: from jurassic (unknown [115.118.27.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 5C12D2FA003F; Fri, 30 Dec 2016 12:25:55 +0000 (GMT)
Date: Fri, 30 Dec 2016 17:55:50 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Vernon Schryver <vjs@rhyolite.com>
Message-ID: <20161230122550.GA3146@jurassic>
References: <20161230091702.GA32139@jurassic> <201612301145.uBUBjNdi061755@calcite.rhyolite.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU"
Content-Disposition: inline
In-Reply-To: <201612301145.uBUBjNdi061755@calcite.rhyolite.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9pDXU-VuJ5Gce0zBMd1sskVo38A>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 12:25:59 -0000
Hi Vernon On Fri, Dec 30, 2016 at 11:45:23AM +0000, Vernon Schryver wrote: > > From: Mukund Sivaraman <muks@isc.org> > > > > In 4.1.1 (IP address encoding in triggers), I suggest adding: > > > > > > - The encoded address prefix MUST NOT not have any extra trailing 1s > > > (longer address prefix than the prefix length) or the rule will be > > > rejected. E.g., the following trigger will be rejected: > > > > > > 8.1.0.0.10.rpz-client-ip > > The draft tries to address that issue with these final words of 4.1.1 in > https://tools.ietf.org/html/draft-vixie-dns-rpz-04 > > ] In the case of an address block, either IPv4 or IPv6, the address > ] part MUST NOT contain any non-zero bits after the section indicated > ] by the prefix length. For example, "8.2.0.0.10.rpz-client-ip" is not > ] a valid trigger, because in the address "10.0.0.2" expressed in > ] binary notation, a one occurs outside the first 8 bits or prefix of > ] the address block. > > Please suggest improvements. > > > > > Some minor nits: > > > > > > - Include an IPv4 example in 4.1.1 (IP address encoding in triggers) > > I don't understand how that would differ from the second paragraph of 4.1.1 > which is > > ] For example, the address block 192.0.2.0/24 is encoded as > ] "24.0.2.0.192". > > Could you suggest some more or better text? > > > > > - Maybe include that "zz" label in v6 encoding can also appear on > > > - either side of the address bits label sequence > > I don't understand. Describing how zz/:: works seemed difficult (as > demonstrated by the tech.note), so the draft tries to punt to RFC 5952. > As always, please suggest better words than are now in the draft. It seems that I was again reading an older revision of the draft! It appears Paul did make the changes. I'm sorry for the confusion. > > 2. BIND makes the assumption that a trigger is exclusive within a zone. > > So for example, if a zone transfer of an RPZ zone has taken place, and > > currently the RPZ summary datastructures are being updated, the > > datastructures can contain policy rules partially from an older version > > of the zone and partially from a newer version of the zone (from the > > transfer). As long as the change to an entire RR of a policy rule is > > applied atomically, to BIND this is a consistent set of policy rules > > (some of rules from previous version of zone, remaining from newer > > version). This behavior is consistent with the RPZ rules so far, but it > > would be wise to make a note of it. > > > > (Note that this behavior is different from the old BIND RPZ > > implementation and so you may not be familiar with it.) > > Are you saying that the rdataset held st->r.r_rdataset or st->r.ns_rdataset > could be bogus in old versions of BIND? Or that st->r.ns_rdataset and > st->r.r_rdataset might be from differing versions of red/black trees? > If so, that sounds like a good bug fix that might be documented in > BIND release notes or elsewhere, but not like something that should > be mentioned in description of the protocol. > > Or do you mean that there should be words somewhere to the effect that > RPZ results must be sane despite concurrent AXFR/IXFR activity of > individual policy zones? If so, please suggest some words. Then there > is what should happen if a transfer of a policy zone happens between > the time QNAME rules are checked and the generally later time when > NSIP and NSDNAME rules are checked. The draft tries to pretend that > all of the rules in all of the policy zones are checked instantaneously, > and never mind real code or the delays forced by recursion. Words > about these issues are not BIND specific would probably be good, so > please suggest some. What I mean is is effectively this: an update to an RPZ zone on the resolver may not be atomic, i.e., the resolver may not match policy rules against a consistent before- or after- copy of the RPZ zone during its zone transfer. It may have a copy of RPZ policy rules in a datastructure that is partially from a previous revision of the zone, and partially from the incoming next revision. Let A be the pre-transfer revision of the zone. B be the post-transfer revision of the zone: 1. If trigger X doesn't exist in zone A and doesn't exist in zone B, the resolver will not match against X during the transfer. This is consistent with the case when the zone update is done atomically. 2. If trigger X exists in zone A and doesn't exist in zone B, the resolver may or may not match against X during the transfer. This is consistent with the case when the zone update is done atomically. 3. If trigger X doesn't exist in zone A and exists in zone B, the resolver may or may not match against X during the transfer. This is consistent with the case when the zone update is done atomically. 4. If trigger X exists in zone A and exists in zone B, the resolver will match against trigger X from zone A or zone B during the transfer. This is consistent with the case when the zone update is done atomically. What I mean to say is that a zone transfer of policy zone is not atomic. The resolver may match against triggers in A or B depending on the progress of update. Only 1 trigger may match within a zone, so this can be assumed with current RPZ syntax. But this behavior of RPZ zone transfers not being treated atomically should be documented. Mukund
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad