IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Scott Schmit <i.grok@comcast.net> Sat, 17 December 2016 18:40 UTC

Return-Path: <i.grok@comcast.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E20129417 for <dnsop@ietfa.amsl.com>; Sat, 17 Dec 2016 10:40:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOJxdh9KVLaC for <dnsop@ietfa.amsl.com>; Sat, 17 Dec 2016 10:40:20 -0800 (PST)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43C291293E3 for <dnsop@ietf.org>; Sat, 17 Dec 2016 10:40:20 -0800 (PST)
Received: from resomta-ch2-01v.sys.comcast.net ([69.252.207.97]) by resqmta-ch2-09v.sys.comcast.net with SMTP id IJu7cSZHGuazMIJu7c4AXt; Sat, 17 Dec 2016 18:40:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1482000019; bh=VuStFcX0bTq+UM8ZkMqQOHo37f7SlewKHEeJ70MYYZQ=; h=Received:Received:Received:Received:Date:From:To:Subject: Message-ID:MIME-Version:Content-Type; b=fFyh4IzzTDSu4aikD4jh6G8fbqziKtfdbLR57FB9kU2RKIfjK2QDj6yHfeTUlh+UA Q+IWbjLEWz+egbBRrNadL6a/b0TYFbEILZafBzjRGFyvQmnF3Cwzc9v5J8htAcBlyO pvn8ZphhfzQ8JU+szdix03yTwEC36mat0g0c0hFwJMO0gHpyL/4iRRkLcaxe26RYHH 2i2JDa137UJUv/5hPjUxt41r8K8n639PBPGwOMkYTcd71kqBpmSz/Oss7gNDyHPbt4 xpqE2toBY7o8tsAlNFSkH45yrObXcU6m7n4T9hvFNhLrOi8Z6DUeNKr232oK7iGWJX NZ81khvSTUe4Q==
Received: from odin.ULTHAR.us ([IPv6:2001:470:8c86:0:225:64ff:fe8b:c2f2]) by resomta-ch2-01v.sys.comcast.net with SMTP id IJtvcC8PD2ENfIJu1c0Sdm; Sat, 17 Dec 2016 18:40:17 +0000
Received: from odin.ulthar.us (localhost [127.0.0.1]) by odin.ULTHAR.us (8.15.2/8.14.5) with ESMTP id uBHIe6kh009930 for <dnsop@ietf.org>; Sat, 17 Dec 2016 13:40:06 -0500
Received: (from draco@localhost) by odin.ulthar.us (8.15.2/8.15.2/Submit) id uBHIe6Yi009928 for dnsop@ietf.org; Sat, 17 Dec 2016 13:40:06 -0500
Date: Sat, 17 Dec 2016 13:40:06 -0500
From: Scott Schmit <i.grok@comcast.net>
To: dnsop@ietf.org
Message-ID: <20161217184006.GB4916@odin.ULTHAR.us>
References: <148192523291.14691.3300133966679345337.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="/NkBOFFp2J2Af1nK"
Content-Disposition: inline
In-Reply-To: <148192523291.14691.3300133966679345337.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-CMAE-Envelope: MS4wfHBNAoUCKYpz2JmJgMLisB+yMHCALzbt/rIzelBXEXXlKCQs9bjOVUweEQqJK4jQlULugJb/T+Hbcpj74B5G/lAqiWR76CUDPhVpHBAXdosWO6imNFin Q2e5wW294fFl3vMKgki2wWqdqkvd7NrrJuI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VNTW-M72I7b9odTyxQ3Ky-UVcyg>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2016 18:40:21 -0000

On Fri, Dec 16, 2016 at 01:53:52PM -0800, internet-drafts@ietf.org wrote:
> Abstract:
>    This document describes a method for expressing DNS response policy
>    inside a specially constructed DNS zone, and for recursive name
>    servers to use such policy to return modified results to DNS clients.
>    The modified DNS results can stop access to selected HTTP servers,
>    redirect users to "walled gardens", block objectionable email, and
>    otherwise defend against attack.  These "DNS Firewalls" are widely
>    used in fighting Internet crime and abuse.

This doesn't magically make it possible for this DNS firewall to forge
DNSSEC-signed data, so if a validating end-system is going to have its
behavior modified, it would need to opt in.  (Whatever that means if
it's legally required to participate.)

But it looks like the contents of this zone are intended to be kept
secret from end-users.  The option to use other recursive resolvers
provided in 12.1 ignores that access to them could be blocked.

I could imagine a world in which the response to this draft is to
accelerate DNSSEC deployment [maybe optimistic]. That would highlight
where this is being used, since only affected domains would have their
lookups broken.  The natural counter to that would be to deliberately
break DNSSEC everywhere to blind end-users to where they're being lied
to.

So this, if implemented, is ultimately a DNSSEC-killer.

-- 
Scott Schmit

v2.23.0 | Report a Bug | By Email