IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Scott Schmit <i.grok@comcast.net> Sun, 18 December 2016 22:42 UTC

Return-Path: <i.grok@comcast.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA3B12964D for <dnsop@ietfa.amsl.com>; Sun, 18 Dec 2016 14:42:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xuLqQwuZaukA for <dnsop@ietfa.amsl.com>; Sun, 18 Dec 2016 14:42:46 -0800 (PST)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331F81294A6 for <dnsop@ietf.org>; Sun, 18 Dec 2016 14:42:46 -0800 (PST)
Received: from resomta-po-19v.sys.comcast.net ([96.114.154.243]) by resqmta-po-09v.sys.comcast.net with SMTP id Ik9ocSW145lLvIkAHcSsab; Sun, 18 Dec 2016 22:42:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1482100965; bh=ah8gqrVZfIntgn5CfNpMbUIIgt27pRJZpbmISNgndi4=; h=Received:Received:Received:Received:Date:From:To:Subject: Message-ID:MIME-Version:Content-Type; b=M+6yKRRfD/KsnbbNCdv3hVX3qVGkOKAhThX7/3+KNAS3uP2Bh5MtkI1rKNPJKb/ZC yluy5Yir3JZTW6KDpeThf+T4RZV84BrWJ+/aULMv4VBmuum547At4YsmR+YTbwodUi mfyG4qP4dsKfXF5x9bLWFXk6oNIvSiZAh5R5SxAd4F0Mzw9dRvTcK98xCh8VRKWhRn lnGXlO+C8BJMVf2PtIHaBzHM7t2lFxwrrYruIX/YRjudd/jPZII7TIOzX+wJnlY408 rJXF2jSiY0EIP1mog8fkzC+wvl3mH0G8lXyczMRzy+GvDbpJF4GyI9qG3JC3TX/0ye GCNNi0/pMucmQ==
Received: from odin.ULTHAR.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by resomta-po-19v.sys.comcast.net with SMTP id IkA6cIUSJfVXsIkABcI0Wc; Sun, 18 Dec 2016 22:42:43 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ULTHAR.us (8.15.2/8.14.5) with ESMTP id uBIMgVqB018368 for <dnsop@ietf.org>; Sun, 18 Dec 2016 17:42:31 -0500
Received: (from draco@localhost) by odin.ulthar.us (8.15.2/8.15.2/Submit) id uBIMgVDZ018367 for dnsop@ietf.org; Sun, 18 Dec 2016 17:42:31 -0500
Date: Sun, 18 Dec 2016 17:42:31 -0500
From: Scott Schmit <i.grok@comcast.net>
To: dnsop@ietf.org
Message-ID: <20161218224231.GB16301@odin.ulthar.us>
References: <148192523291.14691.3300133966679345337.idtracker@ietfa.amsl.com> <20161217184006.GB4916@odin.ULTHAR.us> <1482091184.4026817.822869193.1FAC8153@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="O5XBE6gyVG5Rl6Rj"
Content-Disposition: inline
In-Reply-To: <1482091184.4026817.822869193.1FAC8153@webmail.messagingengine.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-CMAE-Envelope: MS4wfCkUQxMmQ8e1oNQouux9v4XNdDEurdIX/louIqnm//wyGLqPicokC1be1biIjmuYCd4FOQKxhqw42ZTgUVm0v40dCpXeS/4ol1L+MPhel5wuj4V7LDkK 7Q6F73X98LgzkwhJCPhqEK5ycS8ufxz0m7o=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Bc-ccnYyl5LhTeW8x8GOW4IxG8k>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2016 22:42:47 -0000

On Sun, Dec 18, 2016 at 07:59:44PM +0000, Tony Finch wrote:
> Scott Schmit wrote:
> > This doesn't magically make it possible for this DNS firewall to forge
> > DNSSEC-signed data, so if a validating end-system is going to have its
> > behavior modified, it would need to opt in.  
> 
> That's not entirely true. An RPZ setup can lie regardless of whether a
> client appears to be validating or not. If the admin's goal is to block
> access to malicious sites, then a validating client will get a bogus
> result or SERVFAIL, and the site will be blocked as intended.

If the admin's goal is to block access to malicious sites, then they
want to block the traffic, not falsify DNS.  If the goal is to warn
users away from bad places, they can publish the list as a filter for
end-system firewalls.

If the goal is to censor the Internet and keep the rebellion from
successfully gathering and planning their actions against the Galactic
Empire, then this scheme works perfectly because it works without
requiring end systems to be involved.  And it's much easier than
manually maintaining lists.  And cross-vendor, too, so it's easier to
manage the rules across organizations, companies, even country-wide.

With a redirect capability at that scale, a (mis)configuration could
also make it very easy to send DDoS attacks at particular sites.

> > But it looks like the contents of this zone are intended to be kept
> > secret from end-users. 
> 
> That depends entirely on the zone maintainer's policy. The admin can
> easily allow clients to query or transfer an RPZ, and/or provide out of
> band information about the zone on its web site.

If allowing the zone contents to be kept secret wasn't a goal of this
design, then it wouldn't be mentioned in the security considerations
twice.  It also wouldn't be a SHOULD that the list be access-controlled.

Sure, an admin isn't required to keep it secret, but it's absolutely
built into the design.

An out of band mechanism is no substitute, as it allows for
summarization or lying by omission:  "We are only blocking access to
criminal sites.  If you're having trouble, the problem must be you."
Meanwhile the filter also blocks legal-but-"subversive" organizations.

> > So this, if implemented, is ultimately a DNSSEC-killer.
> 
> I don't think so.

Even the draft admits in 12.2 that the "break-dnssec" configuration
setting is "common".  So let's admit that this draft considers
DNSSEC an obstacle to be overcome and that doing so will be typical.

> DNSSEC is not able to improve the availability of the DNS. The point of
> DNSSEC is to ensure that if you get an answer, you can be sure it is
> authentic. If your local network wants to prevent you from accessing a
> malicious site, DNSSEC can't stop them.

You make a good point.  Sounds like there's no need for the IETF to
publish this as an RFC, since admins can already do this via other
means.  What does this make easier that should be made easier?  What
are the negative effects of that we'd rather avoid?

-- 
Scott Schmit

v2.23.0 | Report a Bug | By Email