Re: [DNSOP] proposal: Covert in-band zone data
Bob Harold <rharolde@umich.edu> Tue, 30 July 2019 20:24 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07555120024 for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2019 13:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSnaMX18uxdd for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2019 13:24:18 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AF6612001A for <dnsop@ietf.org>; Tue, 30 Jul 2019 13:24:17 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id r9so63342940ljg.5 for <dnsop@ietf.org>; Tue, 30 Jul 2019 13:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ro6IUciWdix/wEjSbq5Paj9dPtr8taM96X4+Y6CICLw=; b=pSfY9hx8okPSjXGOlcPMKLuSc4gPw2Bjps869U5Ki+/hGFug8byrBPm3g3ItuBnTdF JYhE3J2WyYcbU2ckEQYOjIINQfhm2QXOS5YEZprUAkieZul9sVto3CiegzIFdhfSbhid UCKzRXi2Vxc5MNy72fi0gp2+EKZMQrVih2CHxMBeRxRu0+rYTCybhvZxMk4AfoNPkovt U/QT6mreNESjEa4MqeLzBBAH3zgj6ehibzNp16J2dI+hUb+jwj37EP4Xr63fIlU0M699 7LHSLKvRdzK4gw6HGDpPYhFrJh7B3Hf54NoBW6SaAukIuaCgwZrPLHZfUr29dveZq+jo 8XGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ro6IUciWdix/wEjSbq5Paj9dPtr8taM96X4+Y6CICLw=; b=GWbCj44Eud7lMyVk1lbcIcaVGN8AJjf3rwuQo+wqLjOBn7RH+gFR5fAVZOHe5bcvwh 7vjFu6HBOLJI2+IwGAUnSbp/sU4i9yO6EFJdTU72iaAZMRgRNxvcnLDOAKOdKxYyvd2f Y8vkp4wVNrPIRgfWBmNqPk9J9C1vvJP09cbAli6YJG33IS91GZw+pdjmz1I6YW3ku0F+ CShGHw8ffzNzCKsijNEgewAPDPR/y2cir6Us1KnjdvVipXcAQvEgYIJ7jMEBe6RGQFvl 5oL7GmJFLS4fwCQEIybJK80HKynXxEN/6FZrAoScG9WITXL/e2pU4xjdckVR9wWDRVWx OTKA==
X-Gm-Message-State: APjAAAXjkXko3abSBFe1a+hdgFsdhlmrHUPqXJaAQ2FMbgRMpiN9pGMN /+otKPcM5e/Ui/S1rceduDihhSXPFsGoGJVpnUlysg==
X-Google-Smtp-Source: APXvYqyGRtUkZejf9exe8fIHbSQX97yAM1WhnesiMcTn/bXmx6Ukcia/ja94BB5OnuS/DbRlcU7HA3hFmXHNDI1HSdU=
X-Received: by 2002:a2e:635d:: with SMTP id x90mr62591074ljb.140.1564518256199; Tue, 30 Jul 2019 13:24:16 -0700 (PDT)
MIME-Version: 1.0
References: <20190706213024.GA56650@isc.org> <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org> <CAN6NTqymm6+OMet0sMZC0Ms5E_5mj_nwONk3fR19HwgWXYNB4Q@mail.gmail.com> <alpine.LRH.2.21.1907251332070.10708@bofh.nohats.ca> <20190725183051.33DA315BFD9D@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907301916050.7062@bikeshed.isc.org> <20190730200859.A424215E6AD4@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907302009500.7062@bikeshed.isc.org> <20190730201628.1496015E6BFA@fafnir.remote.dragon.net>
In-Reply-To: <20190730201628.1496015E6BFA@fafnir.remote.dragon.net>
From: Bob Harold <rharolde@umich.edu>
Date: Tue, 30 Jul 2019 16:24:04 -0400
Message-ID: <CA+nkc8DaTVxcm_7tR1EELPkP=4XKZGGa4uoSFqUcY8xKRe9iSg@mail.gmail.com>
To: Paul Ebersman <list-dnsop@dragon.net>
Cc: Dan Mahoney <dmahoney@isc.org>, IETF DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7dc12058eebca9d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rv-bjySuTjD21x0lMu9dPl610MU>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:24:21 -0000
On Tue, Jul 30, 2019 at 4:16 PM Paul Ebersman <list-dnsop@dragon.net> wrote: > ebersman> Actually, I think this moves your goal nicely. If we could > ebersman> have things marked as "not zone data, sensitive" and dealt > ebersman> with only over a covert channel after various auth/acl checks > ebersman> are done, it would be easy enough to have metadata that won't > ebersman> leak. > > ebersman> Then we define some of these things we consider > ebersman> "private"/non-zone. > > dmahoney> I also envision the "presentation format" looking like a > dmahoney> regular comment so non-compatible implementations that tried > dmahoney> to load a zone with these simply ignored them as they do > dmahoney> regular comments. Similar, perhaps to how server-side > dmahoney> includes work in the web world. > > ebersman> Legacy/non-compatible would fall out because they wouldn't > ebersman> ever see this because they'd fail whatever auth/negotiation > ebersman> was necessary to believe that sending covert/metadata was OK > ebersman> and they'd never get it. > > dmahoney> Right, my argument was more in the case of the "without > dmahoney> covert". I.e. you've dumped your zone on bind and loaded it > dmahoney> into NSD. On disk, not wire. > > If what you're arguing for is something that's actually mixed into the > zone data, how do you handle non-compatible/legacy and avoid leakage? > > Doing it as separate meta-data not part of the zone data and not needing > to be DNS wire format solves that but, again, without some covert or > non-AXFR transfer method, how do you get it around? > > If you don't care about backward compatibility, this is a more easily > solvable problem. > If you are looking at putting it outside the zone, it occurs to me that any of the IPAM solutions have a database where you can attach information to records, zones, IP addresses, etc. Even Active Directory can probably do that. -- Bob Harold
- [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Brian Dickson
- Re: [DNSOP] proposal: Covert in-band zone data Richard Gibson
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Bill Woodcock
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data jabley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Tony Finch
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Matthew Pounsett
- Re: [DNSOP] proposal: Covert in-band zone data Samuel Weiler
- Re: [DNSOP] proposal: Covert in-band zone data Ólafur Guðmundsson
- Re: [DNSOP] proposal: Covert in-band zone data Paul Wouters
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Tim Wattenberg
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Mark Andrews
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data JW λ John Woodworth