Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
Scott Schmit <i.grok@comcast.net> Sun, 18 December 2016 22:42 UTC
Return-Path: <i.grok@comcast.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA3B12964D for <dnsop@ietfa.amsl.com>; Sun, 18 Dec 2016 14:42:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xuLqQwuZaukA for <dnsop@ietfa.amsl.com>; Sun, 18 Dec 2016 14:42:46 -0800 (PST)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331F81294A6 for <dnsop@ietf.org>; Sun, 18 Dec 2016 14:42:46 -0800 (PST)
Received: from resomta-po-19v.sys.comcast.net ([96.114.154.243]) by resqmta-po-09v.sys.comcast.net with SMTP id Ik9ocSW145lLvIkAHcSsab; Sun, 18 Dec 2016 22:42:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1482100965; bh=ah8gqrVZfIntgn5CfNpMbUIIgt27pRJZpbmISNgndi4=; h=Received:Received:Received:Received:Date:From:To:Subject: Message-ID:MIME-Version:Content-Type; b=M+6yKRRfD/KsnbbNCdv3hVX3qVGkOKAhThX7/3+KNAS3uP2Bh5MtkI1rKNPJKb/ZC yluy5Yir3JZTW6KDpeThf+T4RZV84BrWJ+/aULMv4VBmuum547At4YsmR+YTbwodUi mfyG4qP4dsKfXF5x9bLWFXk6oNIvSiZAh5R5SxAd4F0Mzw9dRvTcK98xCh8VRKWhRn lnGXlO+C8BJMVf2PtIHaBzHM7t2lFxwrrYruIX/YRjudd/jPZII7TIOzX+wJnlY408 rJXF2jSiY0EIP1mog8fkzC+wvl3mH0G8lXyczMRzy+GvDbpJF4GyI9qG3JC3TX/0ye GCNNi0/pMucmQ==
Received: from odin.ULTHAR.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by resomta-po-19v.sys.comcast.net with SMTP id IkA6cIUSJfVXsIkABcI0Wc; Sun, 18 Dec 2016 22:42:43 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ULTHAR.us (8.15.2/8.14.5) with ESMTP id uBIMgVqB018368 for <dnsop@ietf.org>; Sun, 18 Dec 2016 17:42:31 -0500
Received: (from draco@localhost) by odin.ulthar.us (8.15.2/8.15.2/Submit) id uBIMgVDZ018367 for dnsop@ietf.org; Sun, 18 Dec 2016 17:42:31 -0500
Date: Sun, 18 Dec 2016 17:42:31 -0500
From: Scott Schmit <i.grok@comcast.net>
To: dnsop@ietf.org
Message-ID: <20161218224231.GB16301@odin.ulthar.us>
References: <148192523291.14691.3300133966679345337.idtracker@ietfa.amsl.com> <20161217184006.GB4916@odin.ULTHAR.us> <1482091184.4026817.822869193.1FAC8153@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="O5XBE6gyVG5Rl6Rj"
Content-Disposition: inline
In-Reply-To: <1482091184.4026817.822869193.1FAC8153@webmail.messagingengine.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-CMAE-Envelope: MS4wfCkUQxMmQ8e1oNQouux9v4XNdDEurdIX/louIqnm//wyGLqPicokC1be1biIjmuYCd4FOQKxhqw42ZTgUVm0v40dCpXeS/4ol1L+MPhel5wuj4V7LDkK 7Q6F73X98LgzkwhJCPhqEK5ycS8ufxz0m7o=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Bc-ccnYyl5LhTeW8x8GOW4IxG8k>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2016 22:42:47 -0000
On Sun, Dec 18, 2016 at 07:59:44PM +0000, Tony Finch wrote: > Scott Schmit wrote: > > This doesn't magically make it possible for this DNS firewall to forge > > DNSSEC-signed data, so if a validating end-system is going to have its > > behavior modified, it would need to opt in. > > That's not entirely true. An RPZ setup can lie regardless of whether a > client appears to be validating or not. If the admin's goal is to block > access to malicious sites, then a validating client will get a bogus > result or SERVFAIL, and the site will be blocked as intended. If the admin's goal is to block access to malicious sites, then they want to block the traffic, not falsify DNS. If the goal is to warn users away from bad places, they can publish the list as a filter for end-system firewalls. If the goal is to censor the Internet and keep the rebellion from successfully gathering and planning their actions against the Galactic Empire, then this scheme works perfectly because it works without requiring end systems to be involved. And it's much easier than manually maintaining lists. And cross-vendor, too, so it's easier to manage the rules across organizations, companies, even country-wide. With a redirect capability at that scale, a (mis)configuration could also make it very easy to send DDoS attacks at particular sites. > > But it looks like the contents of this zone are intended to be kept > > secret from end-users. > > That depends entirely on the zone maintainer's policy. The admin can > easily allow clients to query or transfer an RPZ, and/or provide out of > band information about the zone on its web site. If allowing the zone contents to be kept secret wasn't a goal of this design, then it wouldn't be mentioned in the security considerations twice. It also wouldn't be a SHOULD that the list be access-controlled. Sure, an admin isn't required to keep it secret, but it's absolutely built into the design. An out of band mechanism is no substitute, as it allows for summarization or lying by omission: "We are only blocking access to criminal sites. If you're having trouble, the problem must be you." Meanwhile the filter also blocks legal-but-"subversive" organizations. > > So this, if implemented, is ultimately a DNSSEC-killer. > > I don't think so. Even the draft admits in 12.2 that the "break-dnssec" configuration setting is "common". So let's admit that this draft considers DNSSEC an obstacle to be overcome and that doing so will be typical. > DNSSEC is not able to improve the availability of the DNS. The point of > DNSSEC is to ensure that if you get an answer, you can be sure it is > authentic. If your local network wants to prevent you from accessing a > malicious site, DNSSEC can't stop them. You make a good point. Sounds like there's no need for the IETF to publish this as an RFC, since admins can already do this via other means. What does this make easier that should be made easier? What are the negative effects of that we'd rather avoid? -- Scott Schmit
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad