IETF Logo Mail Archive

[DNSOP] Client Validation - filtering validation?

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 28 April 2020 02:35 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F743A0CB9 for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 19:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O18L2WbRZ7_a for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B2973A0CB7 for <dnsop@ietf.org>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id a7so11860772uak.2 for <dnsop@ietf.org>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=chrgNAVpbzUeUk+ngsCul21G+Cp8s23p3aRvttOUxiI=; b=oHUtTqFwqDroUovYYjZkcqEnDJcXzkvUTikfFaN0dcz+xTSSY7+D7tvLXhoyjL7hUz W54htbefMQFQ7wRKbK9pAySMYrn5wHNsKEyK8SREp1hnwDHoAHJmm2iwXpJ3cSLiJO8g 0j5GHbbgsr7MmOK/kv1++6L1lQfYyInzm3kPLR37ySkqWISPpwKypTA1eSH9wnd4FJQo /yygy9b77EQO8MCcLDBZ9eeZRQc6yfGWaLh9i5bGtqPGVNBWDVSbUzc99tv3nrA1o4bO paw8mnWrkP2WRMtkRKRzJTZB6D5bUesMhAbJ/RnrE/7knRroA0ZHydKZGZl9fZ/HYTL+ f4WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=chrgNAVpbzUeUk+ngsCul21G+Cp8s23p3aRvttOUxiI=; b=tkeeR+yTb2qk5Rod6JkM0uRWGIuqUnA5mzgCCzP/f6Uv4C0Sv4WQ3XOzGCr2jnX8vM wCnY2pRKOHQ8JM0FvkXNLktCbNueIJ48bvUB2pov/35xSDjz1qTUTIbz9DQYU5r0rBt5 4np1FMDjgLX8ry37auL3NNKb5ic2mg1mJO56EF2ov1Om1ontM3xZYEZhl87LOB8dcCd8 3QGb24HnAgOgnIqfJ1Dmpbs7XKMYIhT+5a8+HKbwfAG/f6YfNTGHfu/B4NuzUG19gOB/ 1f3DrURLxKMqECCAwdeHLZVQkpJlYrelIX4WbHN3zgM1Y4cZnZHq4DCLcSvens86HXl3 VdiQ==
X-Gm-Message-State: AGi0PuY6tkIKcudZJeNkeP9oTGKQJmzKId9QiuvfTwDofS3fKfy/L+hl vei9htdeXZXg6OXUtZpBto8P5U89ZwwS44EVrPY/bg==
X-Google-Smtp-Source: APiQypLl3vxV6TQ5RVdrNpLNKZYhjhlZw8X9+OPx0nwyfIvrlOY62NXUX/5v1mT2mS5tz3YeXTgY24EW6vg+FAICNwA=
X-Received: by 2002:ab0:700f:: with SMTP id k15mr19331682ual.75.1588041310193; Mon, 27 Apr 2020 19:35:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAHPuVdUh4UTP5pH_X83pm8OvY7juEotSYT6FLbVyE4_S-ev9Bg@mail.gmail.com> <71d22908-b0a9-5f0c-585e-0d10aa3edc8a@nic.cz> <2119709.gsHikbp680@linux-9daj>
In-Reply-To: <2119709.gsHikbp680@linux-9daj>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 27 Apr 2020 19:34:59 -0700
Message-ID: <CAH1iCiprfBNuMPWeraogqE9vR-UesZ_BWEzzeXQQGM1AZxipFw@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002ecbe505a450aec8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Jp2JZX7es8HUxaVHODJKeAq_AfQ>
Subject: [DNSOP] Client Validation - filtering validation?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 02:35:13 -0000

On Fri, Apr 24, 2020 at 11:56 PM Paul Vixie <paul@redbarn.org> wrote:

> mind if i cut in?
>
> On Saturday, 25 April 2020 06:23:54 UTC Vladimír Čunát wrote:
> > Original subject: New draft on delegation revalidation
> >
> > On 4/24/20 4:49 PM, Shumon Huque wrote:
> > > ...
> >
> > ...
>
> (agreeableness.)
>
> > Some of them also want a variant of DNS filtering, which
> > still clashes with validation a bit (if done *after* filtering).
>
> it will be necessary for filtered results to be separately (hop by hop)
> signed
> using something like SIG(0) or TSIG. (stubs ought to choose who can
> filter.)
> but this isn't a substitute for stub validation (end to end). one ought
> not
> trust a coffee shop or even one's own ISP to make a trusted introduction
> to
> one's bank (more or less quoting dan kaminsky from back in 2008 or so.)
>


I've been thinking about whether/how a provider of filtering service
(directly or indirectly) could be explicitly trusted to provide filtered
"answers".

It might be necessary to restrict what kinds of answers could be provided
within that scheme, in order to prevent or limit the potential for abuse.

If the client had a validating forwarder, the following would at least in
theory be possible to do:

   - Download the appropriate additional trust anchor for the filtering
   service
   - Filtered responses would be signed with this trust anchor
   - The validating forwarder would validate those using the trust anchor

This supposes that authoritative answers are served by the resolver (and
thus it would not rely on other cached responses), and that those are
signed by the filtering service.

It might be necessary for the client machine to associate a particular set
of such trust anchors with the network environment (including things like
DHCP server, DNS resolver, etc.).

Having signed filtered responses (including NXDOMAIN and/or rewritten
answers) would allow the client to do DNSSEC validation.

I'm not sure how much incremental work is required to do this, beyond some
method of discovery of trust anchors.

I think there would need to be some limitations on rewritten answer, e.g.
ranges of IP for walled garden, or domain names, or even whether positive
or negative answers are allowed.
My intuition would be that the namespace should be subordinate to the name
of the domain serving the filtering service (rpz-service.example.com as an
example) and/or limited to internal IP addresses (RFC 1918 or similar, or
some similarly scoped IP range that can be identified as "local".)

Thoughts?

Does this make sense at all?

(I've been a big proponent of RPZ for a long time now, and am interested in
some solution to client DNSSEC validation that can interoperate with RPZ.)

Brian

v2.23.0 | Report a Bug | By Email