Re: [DNSOP] Filtering and DNSSEC
Paul Wouters <paul@nohats.ca> Thu, 25 November 2021 14:41 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BF4A3A08DC; Thu, 25 Nov 2021 06:41:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVTL0vIzzB9m; Thu, 25 Nov 2021 06:41:52 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08E343A07B8; Thu, 25 Nov 2021 06:41:51 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4J0LDX4rQyzCgp; Thu, 25 Nov 2021 15:41:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1637851308; bh=6QgGG7rr/HyXO641OfpwoWSUtYmy3VoOp/KTSW38tZQ=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=KduM8FUZOO0BzEPNL+YwZNZ7hIYpv6e67Kmyuygw2jtZw3ih7bIt+A2Ev4wo4wzpm 7Ds92kfl4BzHrJc+g+AUsdAxT8+MbYADTeqJ1hSkqVs9iQvHN7KWmy0oQYPPJNdfge rdzT+QSTwNezVv9WZuxF4jBQGUgMM8d5Xb1Ltjsk=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 8pYGtwR8RI4y; Thu, 25 Nov 2021 15:41:47 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 25 Nov 2021 15:41:47 +0100 (CET)
Received: from smtpclient.apple (unknown [72.143.196.112]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 823DF17EFAC; Thu, 25 Nov 2021 09:41:45 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Thu, 25 Nov 2021 09:41:42 -0500
Message-Id: <D9B13846-F7B3-4402-9363-8E8036F0E4B2@nohats.ca>
References: <4dc9b976-cc1c-d0a6-0352-06db19e42068@nic.cz>
Cc: DNSOP WG <dnsop@ietf.org>, draft-wing-dnsop-structured-dns-error-page@ietf.org
In-Reply-To: <4dc9b976-cc1c-d0a6-0352-06db19e42068@nic.cz>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
X-Mailer: iPhone Mail (19A404)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AOSNhvjPIkgruXBH-4tI-DX4ZuI>
Subject: Re: [DNSOP] Filtering and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2021 14:41:58 -0000
I have repeatedly asked for RPZ draft publication so we can extend to a new version of RPZ that moves the censored dnssec answer to the additional section. This has the advantage that: 1) dnssec validation can still be done by clients that support this on the withheld answer RR 2) censorship is forced to be opt-in (the real answer can still be digged out of censored replies) 3) rogue censoring is still flagged as rogue censorship Paul Sent using a virtual keyboard on a phone > On Nov 25, 2021, at 08:37, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > > Hello, > I realize this is tangential, but I believe it's important over the long term. > > Any modification of DNS will break *later* DNSSEC validation. As filtering seems almost always done by DNS modification (e.g. NXDOMAIN), and I see significant trends in doing filtering as a service, there's a problem that DNSSEC gets crippled from the filterer onwards. > > I can't realistically see moving *all* filtering use cases into end clients, but I'd really hate for DNSSEC to meet the same fate and I don't think it's necessary at all. In other words, we need a model where upstream DNS service is trusted with filtering but not with DNSSEC. Now perhaps if validation was done directly in a browser, it might choose that only "positive" answers get validated and the rest is trusted (encrypted link etc), but generally I wouldn't do that, as it would surely create some holes in DANE or elsewhere. > > What we already have is SERVFAIL. That's what validators MUST return instead of the forged answer (since the beginning of DNSSEC). And actually it does the filtering job, as the SERVFAILed services won't be accessible. > > With EDE (RFC 8914) indicating a few kinds of filtering, servers and clients now could make some behavior better suited for these cases, around fallback to other servers, maybe caching, etc. (Say, only if it came over a trusted channel, based on local policy.) I suspect there's currently still lots of room for improvement on implementation side here. And orthogonally, structured-error-page or other mechanism could extend the available information in these *SERVFAIL* answers and perhaps get utilized in web browsers. > > I do realize that SERVFAIL isn't ideal approach to blocking, but I can't really see anything better (or similar) that could reconcile DNSSEC with some of the common filtering use cases. > > --Vladimir | knot-resolver.cz > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] updated to draft-wing-dnsop-structured-dn… Dan Wing
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Vittorio Bertola
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Stephane Bortzmeyer
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Stephane Bortzmeyer
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Ben Schwartz
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Eric Orth
- Re: [DNSOP] updated to draft-wing-dnsop-structure… tirumal reddy
- Re: [DNSOP] updated to draft-wing-dnsop-structure… tirumal reddy
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Neil Cook
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Eric Orth
- Re: [DNSOP] Filtering and DNSSEC Paul Wouters
- Re: [DNSOP] Filtering and DNSSEC Vladimír Čunát
- Re: [DNSOP] Filtering and DNSSEC Paul Vixie
- Re: [DNSOP] Filtering and DNSSEC Paul Wouters
- Re: [DNSOP] Filtering and DNSSEC Paul Vixie