IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Lanlan Pan <abbypan@gmail.com> Tue, 15 August 2017 08:16 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE321323F7 for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 01:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCQBz7IkLH90 for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 01:16:44 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29FF1200B9 for <dnsop@ietf.org>; Tue, 15 Aug 2017 01:16:43 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id i66so4541927wmg.0 for <dnsop@ietf.org>; Tue, 15 Aug 2017 01:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AJUYqyvn18KuIDCzd6x2V6wf1BGdm0Ib2jLXXK/9I7E=; b=iSTZ9Wi3l6Ky5PLUrbpbTplAkMxV4npxXIYYs76CO20/Z7H2K1bhsWY2H3odixCJn7 wlMEIP0e+1pRiUUnS1tVl+n8Z3O9nCm7TZEm5a4/lnfFLha02RgGhaLUPysA/3csQCNG zjEIhN5gst02+HSarbXmNVzuCjFDLJdgq4bl02Iqpq+MD3IwVGbeGYrwKSGZZ+ICAzAm rR1t0a4Qu6C8cw+20p/w6q0NNVUw4hKJ5TI6I7yqTHAM4MreEVbbfSHCyg1tIBtZsU29 Gv22g47+oal6iUOkiEpP4B7wyk9u+uHngir8pvT6ou0ghar4Dw4V3e70ScGW8TYZs1fb 8mng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AJUYqyvn18KuIDCzd6x2V6wf1BGdm0Ib2jLXXK/9I7E=; b=rHKJGXOqTVltp0Y9rL6/oBdzDqVgF+lApVgdO+BFRG2raZT/wnlB7zcomZ2E8WSDuc 1ZslN1wP1gphFnAguN0zDK6U04qkh+q8UA7VJPSue3yZA5tbhneDBVJsjWr9E4aRcMmG NuJ3FEnBAPrI1BYOtXl1C08v+ZBm7K8MIGzJ26hiIdrzn6S2ju8RlXVOwMqc8ct9PyqS teGh+zcNZiJeZDrS359DiCGuYmmSergnazhr2kqfdXjN1ElBHbQM4J2UJEiXFMwX+Y4/ 9ruI9KLE3l5ilIbRvU6rYHBkASf17b+a5CoPXf00GlKXrHIQgF4KYfTYqHTuCZdgZj2w Nkxw==
X-Gm-Message-State: AHYfb5gHksz1q+0EX6HLjEpKC0iGtRNK4pyxaUXU1FeDftVeISsNQy4K 6CVG9E6hHdk1eMe1UZxgvi/Dt1m7bQ==
X-Received: by 10.80.138.6 with SMTP id i6mr26540414edi.247.1502785002473; Tue, 15 Aug 2017 01:16:42 -0700 (PDT)
MIME-Version: 1.0
References: <CANLjSvWyO0nbiSJGSqhRH33evbCUFLNzCjceAHJ-L89FA+En8g@mail.gmail.com> <201708150651.v7F6ptN7005525@calcite.rhyolite.com>
In-Reply-To: <201708150651.v7F6ptN7005525@calcite.rhyolite.com>
From: Lanlan Pan <abbypan@gmail.com>
Date: Tue, 15 Aug 2017 08:16:31 +0000
Message-ID: <CANLjSvWFh0ER47=SFJB-3rkTJKT_OxcjKwcD9-DUkDDxJTo=+g@mail.gmail.com>
To: Vernon Schryver <vjs@rhyolite.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1957843f0e510556c6665c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PaPcvCL1qbR0Vib1mDzzj-vxDbA>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 08:16:46 -0000

Hi Vernon,

Thanks for your advice, :-)

Vernon Schryver <vjs@rhyolite.com>于2017年8月15日周二 下午2:52写道:

> > From: Lanlan Pan <abbypan@gmail.com>
>
> > Don't judy other's motivation with meaningless skeptics. The endless
> > skeptics can also push on your RPZ to DNSSEC.
>
> A significant difference between RPZ and the SWILD is that RPZ does
> not depend on non-participants doing anything.  For example, RPZ works
> fine on a single, isolated resolver.
> (Of course, the owners of the IETF printing presses would have to
> agree to publish anything, but publishing a description is neither
> implementing nor deploying.)
>
> The history of RPZ might suggest a temporary solution.  Why not implement
> SWILD using a private rtype or perhaps even TXT?  An implementation
> and a few 1000 installations might convince some skeptics and render
> many objections moot.
>

Yeah,  TXT is my history plan: Recursive Resolvers that support wildcard
detect method with TXT record
<https://github.com/abbypan/dns_wildcard_on_intermediate_nameservers/blob/a4188548c87b6a10af45aa23575b86d9f33f39ec/draft.txt>

>
>
> > DNSSEC deployment will sharply rise if global nameservers desire *dns
> > security*, but almost impossible because of an addtional wildcards
> feature.
>
> I don't understand that.  My zones have plenty of wildcards, but as
> far as I can tell, no new wildcard features will break my DNSSEC
> signatures.
>
> I don't understand "global nameservers [desiring] dns security".
> Are "global nameservers" resolvers or authorities?

If they are resolvers, then there is absolutely no immediate prospect
> of many (any?) resolvers that might be called "global" dropping
> unsigned DNS data.
>

Both recursives and authoritatives.
I mean more and more recursives and authoritatives enable DNSSEC for dns
query by default configuration, sorry for my poor English.

If they are authorities, then I thought that the reasons why almost
> all com zones are unsigned are well understood, recently listed here,
> and have nothing to do with wildcards.  What am I missing?
> http://scoreboard.verisignlabs.com/
> http://scoreboard.verisignlabs.com/percent-trace.png


The deployment problem is on the Authoritative Nameservers of billions of
second level domains,  not on TLD.
And Recursive must enable DNSSEC validation for dns query by default
configuration.


>
>    .......................
>
> ] From: Mark Andrews <marka@isc.org>
>
> ] I can't see how you can say push your RPZ to DNSSEC as RPZ breaks
> ] DNSSEC.
>
> I describe the same facts as the opposite, as "either DNSSEC breaks RPZ
> or DNSSEC and RPZ work together perfectly well"  (in either case,
> assuming a trusted path such as (trusted) localhost name or 127.0.0.1
> address to a trusted resolver, where "trusted resolver" includes
> "trusted to rewrite."  Of course, without a trusted path to a trusted
> resolver or a verifying stub, DNSSEC doesn't mean much.)
>
> As Mark Andrews understands but many people don't, the common RPZ
> implementation parameter "BREAK-DNSSEC yes" does NOT mean "RPZ breaks
> DNSSEC", but "RPZ should ignore DNSSEC request bits despite the fast
> that RPZ invalidates and removes signatures and so verifying stubbs
> and verifying downstream resolvers will not accept rewritten answers."
>
> Also, in the two RPZ implementations I've written, the default
> BREAK-DNSSEC value is "no" so that requesting DNSSEC turns off RPZ.
>
>
> Vernon Schryver    vjs@rhyolite.com
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
-- 
致礼  Best Regards

潘蓝兰  Pan Lanlan

v2.23.0 | Report a Bug | By Email