IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Joe Abley <jabley@hopcount.ca> Mon, 08 July 2019 16:20 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1ADF120222 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 09:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Level:
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1JIP03zEr8F for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2019 09:20:06 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D001201F1 for <dnsop@ietf.org>; Mon, 8 Jul 2019 09:20:06 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id h24so18656113qto.0 for <dnsop@ietf.org>; Mon, 08 Jul 2019 09:20:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=BZ5eNT94IG9MjyJ+LlnaACsdKi62STpu+qTFjHGgeQc=; b=I9cFmZhFzoUWRMAunDVcgEg3wtxmAHYMZ++KdqxOeujl9o5f71dYFW2Ot8Nk+fDSxY VRjvc7QHyMxtyZeJmf+Pzi4qiFGWna5wHxfk3wJpettbQ806w1+3XaZPOOyKCRw5Z3UY +w6sVvaORUSrueJgXMHA1HOpptrCjXAtB0wS0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=BZ5eNT94IG9MjyJ+LlnaACsdKi62STpu+qTFjHGgeQc=; b=kKAEfvPeBVXbx6mzK2/+T2awVdQAYea75Q7UU9g+kZmBQxcOrWjmNI/GnteOy37mNB YPOWuMO2ZE4y8svK66prsj/at8dF8xbJN1FPxefS444QNYv8qNKKP3RZmar1xWCMjDwg Sucy9eZrMgOgsWSQdt4SUfHxPkBjPc639QhRbTswFMPLM2n2vc0Is1QhhsilfMlxU+xY WnsV6Luzen/JKEig8NpStB4SemcKuOHR6ORhLXbLjWm5goWZz2GiCpeI/ddmotas9ote RTh/z1VEcTVlZnSC6TXmF2W6gEfVGwQ2ZgVWiT6b52UfY3+JS5Qp2dS7MpYZTv0lZGdt l3Gg==
X-Gm-Message-State: APjAAAWrue6kYJrpgCggQesjxj4AS9/k1IzfExhWm8nAiIlYwT+i//Ob cGgOEt74TPiunHvtPMeXnExW4a0XZZ0bK1NM
X-Google-Smtp-Source: APXvYqxaPux8Ir1MAEXaMnr17F0PtYkJCf8KqGXkrACxCW/W5PDSe6F4FeQit1kt3y+AC2jMdZSa3A==
X-Received: by 2002:a0c:f909:: with SMTP id v9mr14721930qvn.83.1562602804830; Mon, 08 Jul 2019 09:20:04 -0700 (PDT)
Received: from [192.168.1.50] (24-246-23-138.cable.teksavvy.com. [24.246.23.138]) by smtp.gmail.com with ESMTPSA id g2sm7328379qkm.31.2019.07.08.09.20.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 09:20:03 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <C467FE93-F6CE-4DB4-80E8-654B1485A1F6@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_EA130424-E99E-4937-8FD3-7903B2AA2190"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 08 Jul 2019 12:20:02 -0400
In-Reply-To: <561203a3-7fd9-94cc-5b13-3639b123f8e2@isc.org>
Cc: dnsop@ietf.org
To: Witold Krecicki <wpk@isc.org>
References: <20190706213024.GA56650@isc.org> <CAJhMdTMwCiAS+S_j-i3BXPZ=G1zVhAq+YKH07RsDWRgezPhejg@mail.gmail.com> <caa695e7-21e6-9c41-1814-1f4c1d64df7f@isc.org> <CAJhMdTPK3iqg4sF0Kr+jGAXTf2MZ8FAP0DgwQw1kVBHa65wTNA@mail.gmail.com> <191886397.1948062.1562455685612.JavaMail.zimbra@isc.org> <CAJhMdTNvO=TjNUV=6wHwLJB_c+tqwk4zY24jGbi5a0SqdSUsag@mail.gmail.com> <561203a3-7fd9-94cc-5b13-3639b123f8e2@isc.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UGipo0MYes5dqlV3OTJrY3vDKz4>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 16:20:08 -0000

Hey,

On 6 Jul 2019, at 19:59, Witold Krecicki <wpk@isc.org> wrote:

> But why put it out-of-band when it can be in-band?

I don't think there's a good general answer to this. Sometimes in-band signalling is good; other times out-of-band signalling has proved to be safer. I'm talking very generally, here, not directly about your proposal.

As far as this particular idea goes, I mentioned before what had given me pause: we're talking about taking a protocol where every RRSet in a zone to date has been public and is made available in DNS responses. Any server that doesn't implement this new mechanism would presumably treat the new covert RRTypes as they would any other unknown/opaque type and make the data public.

There is hence an operational risk that data will leak (e.g. by configuration changes, software downgrades that are pragmatic necessities, side systems that publish zone data in ways other than the DNS).

By keeping data that is already exchanged over a (manual) out-of-band channel separate, and not packaging them up with zone data, the existing segregation of private vs. public is preserved and the task is simply to automate a process that is currently manual.

This might sound like a very high-level concern, but I suspect there are ramifications of changing the security model of the data published in a zone that extend beyond the operation to the wider architecture, e.g. what to do with PII that is published in a covert record, and what extra work results from the changed risk profile of that data? In a segmented security architecture, what are the implications of sensitive material being mixed with public information?


Joe

v2.23.0 | Report a Bug | By Email