[DNSOP] Client Validation - filtering validation?
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 28 April 2020 02:35 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F743A0CB9 for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 19:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O18L2WbRZ7_a for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B2973A0CB7 for <dnsop@ietf.org>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id a7so11860772uak.2 for <dnsop@ietf.org>; Mon, 27 Apr 2020 19:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=chrgNAVpbzUeUk+ngsCul21G+Cp8s23p3aRvttOUxiI=; b=oHUtTqFwqDroUovYYjZkcqEnDJcXzkvUTikfFaN0dcz+xTSSY7+D7tvLXhoyjL7hUz W54htbefMQFQ7wRKbK9pAySMYrn5wHNsKEyK8SREp1hnwDHoAHJmm2iwXpJ3cSLiJO8g 0j5GHbbgsr7MmOK/kv1++6L1lQfYyInzm3kPLR37ySkqWISPpwKypTA1eSH9wnd4FJQo /yygy9b77EQO8MCcLDBZ9eeZRQc6yfGWaLh9i5bGtqPGVNBWDVSbUzc99tv3nrA1o4bO paw8mnWrkP2WRMtkRKRzJTZB6D5bUesMhAbJ/RnrE/7knRroA0ZHydKZGZl9fZ/HYTL+ f4WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=chrgNAVpbzUeUk+ngsCul21G+Cp8s23p3aRvttOUxiI=; b=tkeeR+yTb2qk5Rod6JkM0uRWGIuqUnA5mzgCCzP/f6Uv4C0Sv4WQ3XOzGCr2jnX8vM wCnY2pRKOHQ8JM0FvkXNLktCbNueIJ48bvUB2pov/35xSDjz1qTUTIbz9DQYU5r0rBt5 4np1FMDjgLX8ry37auL3NNKb5ic2mg1mJO56EF2ov1Om1ontM3xZYEZhl87LOB8dcCd8 3QGb24HnAgOgnIqfJ1Dmpbs7XKMYIhT+5a8+HKbwfAG/f6YfNTGHfu/B4NuzUG19gOB/ 1f3DrURLxKMqECCAwdeHLZVQkpJlYrelIX4WbHN3zgM1Y4cZnZHq4DCLcSvens86HXl3 VdiQ==
X-Gm-Message-State: AGi0PuY6tkIKcudZJeNkeP9oTGKQJmzKId9QiuvfTwDofS3fKfy/L+hl vei9htdeXZXg6OXUtZpBto8P5U89ZwwS44EVrPY/bg==
X-Google-Smtp-Source: APiQypLl3vxV6TQ5RVdrNpLNKZYhjhlZw8X9+OPx0nwyfIvrlOY62NXUX/5v1mT2mS5tz3YeXTgY24EW6vg+FAICNwA=
X-Received: by 2002:ab0:700f:: with SMTP id k15mr19331682ual.75.1588041310193; Mon, 27 Apr 2020 19:35:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CAHPuVdUh4UTP5pH_X83pm8OvY7juEotSYT6FLbVyE4_S-ev9Bg@mail.gmail.com> <71d22908-b0a9-5f0c-585e-0d10aa3edc8a@nic.cz> <2119709.gsHikbp680@linux-9daj>
In-Reply-To: <2119709.gsHikbp680@linux-9daj>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 27 Apr 2020 19:34:59 -0700
Message-ID: <CAH1iCiprfBNuMPWeraogqE9vR-UesZ_BWEzzeXQQGM1AZxipFw@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002ecbe505a450aec8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Jp2JZX7es8HUxaVHODJKeAq_AfQ>
Subject: [DNSOP] Client Validation - filtering validation?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 02:35:13 -0000
On Fri, Apr 24, 2020 at 11:56 PM Paul Vixie <paul@redbarn.org> wrote: > mind if i cut in? > > On Saturday, 25 April 2020 06:23:54 UTC Vladimír Čunát wrote: > > Original subject: New draft on delegation revalidation > > > > On 4/24/20 4:49 PM, Shumon Huque wrote: > > > ... > > > > ... > > (agreeableness.) > > > Some of them also want a variant of DNS filtering, which > > still clashes with validation a bit (if done *after* filtering). > > it will be necessary for filtered results to be separately (hop by hop) > signed > using something like SIG(0) or TSIG. (stubs ought to choose who can > filter.) > but this isn't a substitute for stub validation (end to end). one ought > not > trust a coffee shop or even one's own ISP to make a trusted introduction > to > one's bank (more or less quoting dan kaminsky from back in 2008 or so.) > I've been thinking about whether/how a provider of filtering service (directly or indirectly) could be explicitly trusted to provide filtered "answers". It might be necessary to restrict what kinds of answers could be provided within that scheme, in order to prevent or limit the potential for abuse. If the client had a validating forwarder, the following would at least in theory be possible to do: - Download the appropriate additional trust anchor for the filtering service - Filtered responses would be signed with this trust anchor - The validating forwarder would validate those using the trust anchor This supposes that authoritative answers are served by the resolver (and thus it would not rely on other cached responses), and that those are signed by the filtering service. It might be necessary for the client machine to associate a particular set of such trust anchors with the network environment (including things like DHCP server, DNS resolver, etc.). Having signed filtered responses (including NXDOMAIN and/or rewritten answers) would allow the client to do DNSSEC validation. I'm not sure how much incremental work is required to do this, beyond some method of discovery of trust anchors. I think there would need to be some limitations on rewritten answer, e.g. ranges of IP for walled garden, or domain names, or even whether positive or negative answers are allowed. My intuition would be that the namespace should be subordinate to the name of the domain serving the filtering service (rpz-service.example.com as an example) and/or limited to internal IP addresses (RFC 1918 or similar, or some similarly scoped IP range that can be identified as "local".) Thoughts? Does this make sense at all? (I've been a big proponent of RPZ for a long time now, and am interested in some solution to client DNSSEC validation that can interoperate with RPZ.) Brian
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie