Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

Paul Wouters <paul@nohats.ca> Mon, 13 March 2017 11:11 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 361301294E1 for <dnsop@ietfa.amsl.com>; Mon, 13 Mar 2017 04:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPxf_gXiMJAH for <dnsop@ietfa.amsl.com>; Mon, 13 Mar 2017 04:11:52 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76ED212955C for <dnsop@ietf.org>; Mon, 13 Mar 2017 04:11:52 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vhZv96Bhpz3MP; Mon, 13 Mar 2017 12:11:49 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1489403509; bh=3ouY556rPvP0uch6ayqVasEdu472rP+e+f7Mi45BsUQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=DwDRVbqsduGgXxmOiHdP1sTe6wj19pbRhNb0H9bs12uvzd9UfhVdPhKX99soYGQwy Sl+sxREg1nB7bDQggpyS9pgGLvBMDCMSWhL95MAuzFdlU4Gjd8GCZge8A+JULMG336 bGapZECTSqGDbkpbdGonZ9+8jj8f5hqpcfgKkNpE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id WndbhvFDubFB; Mon, 13 Mar 2017 12:11:48 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 13 Mar 2017 12:11:47 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 889DA31C858; Mon, 13 Mar 2017 07:11:46 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 889DA31C858
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 70E234121537; Mon, 13 Mar 2017 07:11:46 -0400 (EDT)
Date: Mon, 13 Mar 2017 07:11:46 -0400
From: Paul Wouters <paul@nohats.ca>
To: Dave Crocker <dcrocker@bbiw.net>
In-Reply-To: <19668099-d361-5bd5-7efb-2aab92c190e6@bbiw.net>
Message-ID: <alpine.LRH.2.20.999.1703130533180.18195@bofh.nohats.ca>
References: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com> <CADyWQ+GUDg2iA+MQ9xjNLDVvRgnd9PD=pLBNNvp0xK3UZVSqTA@mail.gmail.com> <1AD82FB6-735A-4124-A0A3-2158EC567AD6@nohats.ca> <CAHw9_iK+SWiHZwGgHZRO2T1MLVQZS-2BaeZBzyUuZ0iWHX2ZjA@mail.gmail.com> <fa0b1bd1-f7b8-c3bc-58a3-397c1b118370@bogus.com> <alpine.LRH.2.20.999.1703121922250.11053@bofh.nohats.ca> <19668099-d361-5bd5-7efb-2aab92c190e6@bbiw.net>
User-Agent: Alpine 2.20.999 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QL_4S6P5CkYMO4o-9Mid2Psc4d0>
Cc: joel jaeggli <joelja@bogus.com>, tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 11:11:54 -0000

On Sun, 12 Mar 2017, Dave Crocker wrote:

> On 3/12/2017 4:23 PM, Paul Wouters wrote:
>> I do not want to adopt it unmodified
>> as informational RFC for running existing code.
>
> You do not want the IETF to document existing practice?
>
> Really?

There is a fine line between "bringing existing things to IETF to
standardize" and "bringing existing things to IETF to document".

The draft breaks DNSSEC. In its current form it would not have moved
forward if this work had been done from the start at the IETF. We would
have asked the authors to come up with a modified solution that does
not break DNSSEC. So documenting it now after the fact as RFC basically
bypasses the IETF purposefully.

I have proposed a method that would not change the RPZ response for a
non-DNSSEC client, but would add data for DNSSEC capable clients to be
notified the DNSSEC data was modified (and possibly state why) giving
DNSSEC capable clients a method to act differently, knowing the data was
changed for a reason and is not simply a DNS spoofing attack. It can be
added without breaking existing deployments. If the authors aren't willing
to do this, why should IETF rubberstamp a DNS protocol that breaks DNSSEC?

Paul