Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
william manning <chinese.apricot@gmail.com> Tue, 20 December 2016 04:58 UTC
Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 041B8129C87 for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 20:58:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQXI5he7cqRR for <dnsop@ietfa.amsl.com>; Mon, 19 Dec 2016 20:58:24 -0800 (PST)
Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C03CC129C86 for <dnsop@ietf.org>; Mon, 19 Dec 2016 20:58:24 -0800 (PST)
Received: by mail-it0-x244.google.com with SMTP id n68so12716697itn.3 for <dnsop@ietf.org>; Mon, 19 Dec 2016 20:58:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L6VIc7Qw74OoEY28YjZD0RVMNFMNo2+Q+eWd5T4UkCQ=; b=L62ytqaipwpLPOY0owA0DECv+33A2+atFe475IfsWsnZVmyejwJT7iRO1NmmtOCQ1J l9bBHroy1ZzrQJAk9SrgUMrmcyg7b/rWjpykYIdnYsuJv2wIb7JDMYVCe05S5wd/q4B8 0t54Nap/RHg03jP/NNaEfAu4+b4+24GuYyNq2L8bpohJYtwRCYR46yzBnWYkDdrXdI3y xJ/oXiCYBr49ZThK6YBK5/s36UNPffwjnQxd+OURRfotSffcpJK3qIksTngH5WHn4h0j 4Yy/4ETQf7+nc1pqoQj2WDO/Sc3flQGG0SW517/G0+/aZzgW7Jrpic0JJSQtVZifuET+ //ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L6VIc7Qw74OoEY28YjZD0RVMNFMNo2+Q+eWd5T4UkCQ=; b=RgdzuGgzUSzTwypevtvhm4qWsP3W+6yV9SyMToKHyIyYRr3jTzjwiwgeWSJumrrRGB bsWgQEdiktti8oBc9nr42WqAOEelHTuIwO4nrafylG3k3zdGB6dWWYAhviE0CHlJJl8s zylHXJlblnv6cpZ3BNKJH1eo6ews5Fidh72Ya4CgX+PrGxfDy6w8MCpV2dt81zt+E0HD abM6dAqwZXJykW2QpuWh3ZsU5Wj1h7rRxi64O1WQvb3+nmtpeqb1mr3WE1hTuM3RkWlY Eyy1/5InE/p2zyztiuwfG+IiG9d20Z+XhPoALl1O5sbsz+vyv8u/5Vxo2V61GruNTISc cd3g==
X-Gm-Message-State: AIkVDXIAjCltkBY4E4apuXIuJcE09/v8R+ukI0HWa/rD5unCq2+osD2TMn13qC/2Fg5pvRPe4OC++ZdxoCDKJg==
X-Received: by 10.36.224.71 with SMTP id c68mr124663ith.59.1482209904014; Mon, 19 Dec 2016 20:58:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.159.137 with HTTP; Mon, 19 Dec 2016 20:58:23 -0800 (PST)
In-Reply-To: <201612191535.uBJFZh7w091898@calcite.rhyolite.com>
References: <20161218224231.GB16301@odin.ulthar.us> <201612191535.uBJFZh7w091898@calcite.rhyolite.com>
From: william manning <chinese.apricot@gmail.com>
Date: Mon, 19 Dec 2016 20:58:23 -0800
Message-ID: <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com>
To: Vernon Schryver <vjs@rhyolite.com>
Content-Type: multipart/alternative; boundary="94eb2c19e88ccfb90605440fe2d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DJ93xrU9kYZmSA2Xp4CVA1GPgCM>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 04:58:27 -0000
adding complexity in the middle of any system increases the size of an attack surface. true for SMTP, Firewalls, and DNS. This draft formalizes adding massive complexity throughout the DNS without a clear or crisp way to debug and correct problems, particularly since resolution issues will emerge that have are due to RPZ configurations multiple "hops" away from the initial resolver and there is no business relationship in place that would facilitate correcting errors. When it becomes easier to create and operate "walled gardens" and have such tools encouraged and sanctioned by the IETF and its architecture board than to work on a common, open Internet, I would suggest that ISOC review its support of an organization that is actively working on tools, protocols, and techniques to destroy the basic creed of an open Internet. But hey, thats just my own opinion. /Wm https://www.linkedin.com/pulse/why-firewalls-do-work-open-expert? On Mon, Dec 19, 2016 at 7:35 AM, Vernon Schryver <vjs@rhyolite.com> wrote: > ] From: Scott Schmit <i.grok@comcast.net> wrote: > > ] But it looks like the contents of this zone are intended to be kept > ] secret from end-users. > > Depending on one's view of end users, that notion conflicts with > the final paragraph of section 6 on page 18: > > If a policy rule matches and results in a modified answer, then that > modified answer will include in its additional section the SOA RR of > the policy zone whose rule was used to generate the modified answer. > This SOA RR includes the name of the DNS RPZ and the serial number of > the policy data which was connected to the DNS control plane when the > answer was modified. > > ............. > > > From: Scott Schmit <i.grok@comcast.net> > > > If allowing the zone contents to be kept secret wasn't a goal of this > > design, then it wouldn't be mentioned in the security considerations > > twice. > > If that mistaken notion is matters, please point out the words in > https://tools.ietf.org/html/draft-vixie-dns-rpz-04 that support it. > I think trying to keep policy zone contents secret would be foolish > and hopeless like trying to keep the contents of .com secret. > > Section 12.4 is intended to be about minimizing disclosure of whether > RPZ is in use to the operators of authority servers of listed domains. > Over the years, that goal has receded. RPZ subscribers tend to to > care less about whether bad guys could in theory notice that they're > being blocked than about the costs of recursing to their often slow > or even broken servers. > > > > It also wouldn't be a SHOULD that the list be access-controlled. > > None of the SHOULDs in section 12 mention "access control." There is > a SHOULD for TSIG for authentication and integrity, but access control > is neither. One might use TSIG for policy zone access control and I > think RPZ publishers should, but that is not the intent of section 12.3. > > A RPZ publisher's interest in limiting timely access to paying subscribers > differs from keeping secrets. It's like paying for access to current .com > changes versus .com secrecy. Common DNS access controls including > "allow-transfer" and "allow-recursion" are also not about keeping secrets. > > > Sure, an admin isn't required to keep it secret, but it's absolutely > > built into the design. > > If it matters, please point out the words in the draft that prompt > that mistaken notion. > > > Vernon Schryver vjs@rhyolite.com > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad