IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Witold Krecicki <wpk@isc.org> Mon, 08 July 2019 21:02 UTC

Return-Path: <wpk@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C65120090 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 14:02:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oEURtAWTFu5 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 14:02:07 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63229120073 for <dnsop@ietf.org>; Mon, 8 Jul 2019 14:02:07 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CB1FE3AB00D; Mon, 8 Jul 2019 21:02:06 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C16BD16006C; Mon, 8 Jul 2019 21:02:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B4CEB16006B; Mon, 8 Jul 2019 21:02:06 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TGx5L7jbXykP; Mon, 8 Jul 2019 21:02:06 +0000 (UTC)
Received: from [192.168.69.142] (unknown [31.179.189.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 90985160051; Mon, 8 Jul 2019 21:02:05 +0000 (UTC)
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <20190706213024.GA56650@isc.org> <CAJhMdTMwCiAS+S_j-i3BXPZ=G1zVhAq+YKH07RsDWRgezPhejg@mail.gmail.com> <caa695e7-21e6-9c41-1814-1f4c1d64df7f@isc.org> <CAJhMdTPK3iqg4sF0Kr+jGAXTf2MZ8FAP0DgwQw1kVBHa65wTNA@mail.gmail.com> <191886397.1948062.1562455685612.JavaMail.zimbra@isc.org> <CAJhMdTNvO=TjNUV=6wHwLJB_c+tqwk4zY24jGbi5a0SqdSUsag@mail.gmail.com> <561203a3-7fd9-94cc-5b13-3639b123f8e2@isc.org> <C467FE93-F6CE-4DB4-80E8-654B1485A1F6@hopcount.ca> <BCD5A218-CF1A-4569-B8A2-7BC8B499CC4B@verisign.com> <a0309614-bd25-08d4-003d-4615779910f6@isc.org> <4BA5D196-E626-4AD1-AF32-546A37D3F156@verisign.com>
From: Witold Krecicki <wpk@isc.org>
Message-ID: <02e60f7d-46a0-49fe-cb13-6cad27fb8737@isc.org>
Date: Mon, 08 Jul 2019 23:02:02 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <4BA5D196-E626-4AD1-AF32-546A37D3F156@verisign.com>
Content-Type: text/plain; charset="windows-1252"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UG8VxqdNMiaATyTLTcuu6JXakh8>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 21:02:10 -0000


W dniu 08.07.2019 o 22:30, Wessels, Duane pisze:
> 
> 
>> On Jul 8, 2019, at 1:05 PM, Witold Krecicki <wpk@isc.org> wrote:
>>
>> W dniu 08.07.2019 o 19:20, Wessels, Duane pisze:
>>
>>> With respect to 2.6. Interaction with ZONEMD, I'd think it should follow handling of DNSSEC.  That is, covert types should not be included in a zone digest.
>>
>> As I understand ZONEMD main purpose is to verify the full content of the
>> zone, mainly for zone transfer. In that case, I'd include COVERT records
>> - as the clients who can transfer the zone using XFR will also be able
>> to transfer COVERT records. (but I'm not stuck to that opinion).
> 
> If the primary server is allowed to transmit two versions of the zone -- one with covert RRs and one without -- then it only makes sense to omit covert RRs from the digest.  It would be unfortunate, but necessary.
> 
> Actually I think the last paragraph of 2.2 would be better with only this:
> 
>    If the primary server receives a zone transfer request for a zone with
>    Covert RRs, but without the COVERT-OK option, it MUST NOT transfer the zone.
> 
> That is, don't allow AXFR of a zone with Covert RRs to an unaware secondary.  Then leaks are much less likely and you can include the covert RRs in the zone digest.  You would need to specify what the server should do in this case.  REFUSED I guess.

The alternative is to transfer the zone without COVERT RR's if (and only
if) a configuration option is set - this is to make it easier during
'transition period' where primary supports Covert and secondary doesn't
- e.g. for NOTE RRs which are not critical to functioning of the zone.
The default behaviour is to refuse the transfer.

You're definitely right about specifying an exact response (REFUSED) if
a zone  transfer request without COVERT-OK is received for a zone with
COVERT RR's and without the configuration option, I'm adding it to my
TODO list.

Witold

v2.23.0 | Report a Bug | By Email