IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

william manning <chinese.apricot@gmail.com> Wed, 21 December 2016 14:27 UTC

Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0444112955A for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 06:27:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3mr0pJUsVwO for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 06:27:12 -0800 (PST)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1BCA12951E for <dnsop@ietf.org>; Wed, 21 Dec 2016 06:27:12 -0800 (PST)
Received: by mail-it0-x236.google.com with SMTP id c20so32091801itb.0 for <dnsop@ietf.org>; Wed, 21 Dec 2016 06:27:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VRY5yEFLAIPHJ4tL7HryWwsUi70fF6u52qlSaDtMsQc=; b=iLVYdjACwI9k0moGCsosMDnROQcNCOdjoaumupYD9I7xUV2YtqcrAJBd7ZcmxDkySF PRgvO+hlzhLBFn8+mMijYHrYaEIL4+ME8/Fnjur6KlacAGuRwRFEaGHe7c8u5oRu1GXC nXbBJcJWPXpagZxlGCatRVBQMS8ytXCgHL6lPdJcRE9cdMlN0D6S5ZaVg0pzqHmlOz3b tsl0uimTII/T3sSX1B+tE9dWrHw68FqLGjdTXuKLu61vJF1ofIIpkh/NRemsyKcdeXMD 1QsDBhe4q0oQrcbrFhiBICvB6HVmHGCwVT2BGVyRMOKpJQLyHW9QqxsDXQCEb8oezfC1 SM5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VRY5yEFLAIPHJ4tL7HryWwsUi70fF6u52qlSaDtMsQc=; b=sbQBXnIywREwP4fmmXEzmkNWK/NtPhAXFZCyBonIOokPR21Fd5ZW8Yoy9eQLf8vCZH OjZPHCvkMIlemRTB79GXr+EuJbnWXgQeatUnpOUcGmsADPIAL3On8ZHGJC93y8JbA7fi 7MXra7lQLixYjG9mt48VoGyYRE+Hy83StDiKZmuvIgzCaSxbticnwaYFUphdi1AO1SAB ybO6hZXOrOZQ06QnwVsliRV8EkRTedw865/UYDiqUvlc/gx3PzclTBpYHLLzJz28FNaG fj/azLmbnKPdXklc/ktSStyhRWHVHnvwc1ftXUcZkdVt7a1c8J9YUfTDVY//0VaC9rtC r1hQ==
X-Gm-Message-State: AIkVDXKLt5dquze6FMJ3EygtCMlMOcSxXKOom/0rHbpHwMkxMvyDYRfvfOxGcqsW7+0ROH+8lIUkaulU2aaV/w==
X-Received: by 10.36.117.137 with SMTP id y131mr754107itc.59.1482330431830; Wed, 21 Dec 2016 06:27:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.159.137 with HTTP; Wed, 21 Dec 2016 06:27:11 -0800 (PST)
In-Reply-To: <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com>
References: <20161218224231.GB16301@odin.ulthar.us> <201612191535.uBJFZh7w091898@calcite.rhyolite.com> <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com>
From: william manning <chinese.apricot@gmail.com>
Date: Wed, 21 Dec 2016 06:27:11 -0800
Message-ID: <CACfw2hg_8nT_b6Syc1-wk_O92mzW0Zo0wX5xgMp5uhhu0Vom9A@mail.gmail.com>
To: Vernon Schryver <vjs@rhyolite.com>
Content-Type: multipart/alternative; boundary="001a114abca0d4407805442bf264"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/P7DmQIvhfRcrSppmyEjlYVzpLhY>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 14:27:15 -0000

Vernon won't see this, since he has blocked my email, but here goes.

I think it is a huge mistake to adopt this work within the IETF.  Although
the IEtF has, in the past, documented worst common practice, i suspect that
this case is one where the WG chairs should tell the authors to take the
work to an industry forum, like DNS-OARC.   The authors (and others)
suggest that RPZ is needed in todays hostile Internet, if only to protect
oneself from abuse.    This work does NOT decrease the hostility of the
Internet, it raises the bar.   Indeed, nearly every case of the [+1] for
adoption comes with a caveat of "this is the worst thing ever."

While documenting common practice, this is clearly not "BEST COMMON
PRACTICE", (or is it? :)

It clearly is antithetical to ISOC's mission, "By connecting the world,
working with others, and advocating for equal access to the Internet, the
Internet Society strives to make the world a better place."   ...  No equal
access here, not connecting the world, not making the DNS a better place.
RPZ destroys trust in the DNS, which is DNSOPS "*Cutting off* the *nose to
spite* the *face*". For those who have not heard this before, it is an
expression used to describe a needlessly self-destructive over-reaction to
a problem.

So +1 if you feel you must.  RPZ does not make for a robust, resilient,
trustworthy Internet.  It actively works to undermine and and fragment the
Internet into insular walled gardens.

I'd be happier if there was an exit strategy for RPZ, so we would know when
to turn it off.

/Wm

On Mon, Dec 19, 2016 at 8:58 PM, william manning <chinese.apricot@gmail.com>
wrote:

> adding complexity in the middle of any system increases the size of an
> attack surface.  true for SMTP, Firewalls, and DNS.   This draft formalizes
> adding massive complexity throughout the DNS without a clear or crisp way
> to debug and correct problems, particularly since resolution issues will
> emerge that have are due to RPZ configurations multiple "hops" away from
> the initial resolver and there is no business relationship in place that
> would facilitate correcting errors.  When it becomes easier to create and
> operate "walled gardens" and have such tools encouraged and sanctioned by
> the IETF and its architecture board than to work on a common, open
> Internet, I would suggest that ISOC review its support of an organization
> that is actively working on tools, protocols, and techniques to destroy the
> basic creed of an open Internet.  But hey, thats just my own opinion.
>
> /Wm
>
> https://www.linkedin.com/pulse/why-firewalls-do-work-open-expert?
>
> On Mon, Dec 19, 2016 at 7:35 AM, Vernon Schryver <vjs@rhyolite.com> wrote:
>
>> ] From: Scott Schmit <i.grok@comcast.net> wrote:
>>
>> ] But it looks like the contents of this zone are intended to be kept
>> ] secret from end-users.
>>
>> Depending on one's view of end users, that notion conflicts with
>> the final paragraph of section 6 on page 18:
>>
>>   If a policy rule matches and results in a modified answer, then that
>>   modified answer will include in its additional section the SOA RR of
>>   the policy zone whose rule was used to generate the modified answer.
>>   This SOA RR includes the name of the DNS RPZ and the serial number of
>>   the policy data which was connected to the DNS control plane when the
>>   answer was modified.
>>
>>  .............
>>
>> > From: Scott Schmit <i.grok@comcast.net>
>>
>> > If allowing the zone contents to be kept secret wasn't a goal of this
>> > design, then it wouldn't be mentioned in the security considerations
>> > twice.
>>
>> If that mistaken notion is matters, please point out the words in
>> https://tools.ietf.org/html/draft-vixie-dns-rpz-04 that support it.
>> I think trying to keep policy zone contents secret would be foolish
>> and hopeless like trying to keep the contents of .com secret.
>>
>> Section 12.4 is intended to be about minimizing disclosure of whether
>> RPZ is in use to the operators of authority servers of listed domains.
>> Over the years, that goal has receded.  RPZ subscribers tend to to
>> care less about whether bad guys could in theory notice that they're
>> being blocked than about the costs of recursing to their often slow
>> or even broken servers.
>>
>>
>> >         It also wouldn't be a SHOULD that the list be access-controlled.
>>
>> None of the SHOULDs in section 12 mention "access control."  There is
>> a SHOULD for TSIG for authentication and integrity, but access control
>> is neither.  One might use TSIG for policy zone access control and I
>> think RPZ publishers should, but that is not the intent of section 12.3.
>>
>> A RPZ publisher's interest in limiting timely access to paying subscribers
>> differs from keeping secrets.  It's like paying for access to current .com
>> changes versus .com secrecy.  Common DNS access controls including
>> "allow-transfer" and "allow-recursion" are also not about keeping secrets.
>>
>> > Sure, an admin isn't required to keep it secret, but it's absolutely
>> > built into the design.
>>
>> If it matters, please point out the words in the draft that prompt
>> that mistaken notion.
>>
>>
>> Vernon Schryver    vjs@rhyolite.com
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
>

v2.23.0 | Report a Bug | By Email