IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Vernon Schryver <vjs@rhyolite.com> Tue, 15 August 2017 06:52 UTC

Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6B0124234 for <dnsop@ietfa.amsl.com>; Mon, 14 Aug 2017 23:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rSWfmevIu9k for <dnsop@ietfa.amsl.com>; Mon, 14 Aug 2017 23:52:16 -0700 (PDT)
Received: from calcite.rhyolite.com (calcite-v6.rhyolite.com [IPv6:2001:470:4b:581::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C56AB1323C4 for <dnsop@ietf.org>; Mon, 14 Aug 2017 23:52:15 -0700 (PDT)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id v7F6ptZK005526 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Tue, 15 Aug 2017 06:51:56 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id v7F6ptN7005525 for dnsop@ietf.org; Tue, 15 Aug 2017 06:51:55 GMT
Date: Tue, 15 Aug 2017 06:51:55 +0000
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201708150651.v7F6ptN7005525@calcite.rhyolite.com>
To: dnsop@ietf.org
In-Reply-To: <CANLjSvWyO0nbiSJGSqhRH33evbCUFLNzCjceAHJ-L89FA+En8g@mail.gmail.com>
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PppY8PKgDVQnhJ3BLDFigqM60FE>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 06:52:18 -0000

> From: Lanlan Pan <abbypan@gmail.com>

> Don't judy other's motivation with meaningless skeptics. The endless
> skeptics can also push on your RPZ to DNSSEC.

A significant difference between RPZ and the SWILD is that RPZ does
not depend on non-participants doing anything.  For example, RPZ works
fine on a single, isolated resolver.
(Of course, the owners of the IETF printing presses would have to
agree to publish anything, but publishing a description is neither
implementing nor deploying.)

The history of RPZ might suggest a temporary solution.  Why not implement
SWILD using a private rtype or perhaps even TXT?  An implementation
and a few 1000 installations might convince some skeptics and render
many objections moot.


> DNSSEC deployment will sharply rise if global nameservers desire *dns
> security*, but almost impossible because of an addtional wildcards feature.

I don't understand that.  My zones have plenty of wildcards, but as
far as I can tell, no new wildcard features will break my DNSSEC
signatures.

I don't understand "global nameservers [desiring] dns security".
Are "global nameservers" resolvers or authorities?
If they are resolvers, then there is absolutely no immediate prospect
of many (any?) resolvers that might be called "global" dropping
unsigned DNS data.
If they are authorities, then I thought that the reasons why almost
all com zones are unsigned are well understood, recently listed here,
and have nothing to do with wildcards.  What am I missing?
http://scoreboard.verisignlabs.com/
http://scoreboard.verisignlabs.com/percent-trace.png

   .......................

] From: Mark Andrews <marka@isc.org>

] I can't see how you can say push your RPZ to DNSSEC as RPZ breaks
] DNSSEC.

I describe the same facts as the opposite, as "either DNSSEC breaks RPZ
or DNSSEC and RPZ work together perfectly well"  (in either case,
assuming a trusted path such as (trusted) localhost name or 127.0.0.1
address to a trusted resolver, where "trusted resolver" includes
"trusted to rewrite."  Of course, without a trusted path to a trusted
resolver or a verifying stub, DNSSEC doesn't mean much.)

As Mark Andrews understands but many people don't, the common RPZ
implementation parameter "BREAK-DNSSEC yes" does NOT mean "RPZ breaks
DNSSEC", but "RPZ should ignore DNSSEC request bits despite the fast
that RPZ invalidates and removes signatures and so verifying stubbs
and verifying downstream resolvers will not accept rewritten answers."

Also, in the two RPZ implementations I've written, the default
BREAK-DNSSEC value is "no" so that requesting DNSSEC turns off RPZ.


Vernon Schryver    vjs@rhyolite.com

v2.23.0 | Report a Bug | By Email