[DNSOP] comments on draft-vixie-dns-rpz-04
神明達哉 <jinmei@wide.ad.jp> Tue, 31 January 2017 21:31 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C581295BB for <dnsop@ietfa.amsl.com>; Tue, 31 Jan 2017 13:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gETUPrmYP3d5 for <dnsop@ietfa.amsl.com>; Tue, 31 Jan 2017 13:31:47 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA7731295B7 for <dnsop@ietf.org>; Tue, 31 Jan 2017 13:31:46 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id l126so46313286qkc.1 for <dnsop@ietf.org>; Tue, 31 Jan 2017 13:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=dirdcNlt7r12zgL8l2/EW3qvkKWtnEp5ZDJsi4ZyUO4=; b=q+ejD5JLKSkOAit8MAdbvE7mFovX1WECBg8kgucZ/N1rdfKsramCD8eqywkRRaT/ej kfcvU1uow4h7Oj7pgPOL9b8XIuXDRTGmlxrfUYJ7/XiGw93+kO+ch02HoYGEF21n+rhy J6ssxtLDjYS9XNJzYJuflxpb/bjpmOwsnCyuY+NJ16M+IK1Wk2nC8jUf5W+kjq+sA3ed dM/NcabNqA2dD1+qA4aCm6qBHQ28sc3B0WdMJV2HCbPhWFNAv/5g1pOR5IzldlR9m5nt A2EEdNAibzh9/MgXLRyEexRqQj4c2oUVTqQg4rAe8tbt3kQvaQnlt3abBbPsJm+GDLTl g7VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=dirdcNlt7r12zgL8l2/EW3qvkKWtnEp5ZDJsi4ZyUO4=; b=o+t+ObMAKgKaWLipeOquk5/j5qr+fq2E7JCgOIPzOB8XSrVcoICZScRXEK3nNNVWI2 Pr/3T+wNXuhWJPSb+SSPgq9VeRWvG+qvD9/5uDYW+clHK5so2GDz07rJlbiiKvmSD742 X0eDRPH5+JkQKvZZb9kxNMI9kLYzFFSeiMHYHByrOuX+7WT54xQF8UBGqJIbLeWJCakF 1WDUznPr+SC8X4N6ZIkg5gUuWT24J4qUhbIqBt09ZT2k2hIoLYHxdGF2buA3mGb+pka9 gNREUPiUqvbG+ZBKLLKz7n1LF6We8HQKoaVjCC3CBrENY+Hrk5PvCHd+Gafxr/MhKrbT KnXA==
X-Gm-Message-State: AMke39mhUOXAE/NZAs5smXlIfSSRQBuStIuAyDJUVqNvi4OBaGfA7go6L80T+47sw8xHJ7YZZ80Qhvvi3t3ImA==
X-Received: by 10.233.222.197 with SMTP id s188mr3178221qkf.311.1485898305886; Tue, 31 Jan 2017 13:31:45 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.29 with HTTP; Tue, 31 Jan 2017 13:31:45 -0800 (PST)
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 31 Jan 2017 13:31:45 -0800
X-Google-Sender-Auth: up5pFZAfOYjkpjLkTBuYUaJllbs
Message-ID: <CAJE_bqdGfXFma72=E27s1kW++keSFeNFtMBBS4Q1nj=nGOvZQw@mail.gmail.com>
To: draft-vixie-dns-rpz@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bP2_s-SfUhMRJ2rKu2a68DLuU8s>
Cc: dnsop <dnsop@ietf.org>
Subject: [DNSOP] comments on draft-vixie-dns-rpz-04
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jan 2017 21:31:49 -0000
This is my technical comments on draft-vixie-dns-rpz-04 that I promised to submit when I responded to the wg adoption call. Some of the points may be considered "out of scope" if the draft really intends to just describe what's currently deployed, but I nevertheless made these points for the reasons I said in my response to the adoption call. - Abstract This document describes a method for expressing DNS response policy inside a specially constructed DNS zone, and for recursive name servers to use such policy to return modified results to DNS clients. I don't think this document limits its scope to recursive servers as it talks about the "recursive-only" option in Section 6. The same sense of comment applies to some other use of "recursive servers" throughout the document. - Section 4.1.1 The BIND 9 RPZ implementation rejects a prefix length of 0: if (prefix_num < 1U || prefix_num > 128U) { badname(log_level, src_name, "; invalid prefix length of ", prefix_str); return (ISC_R_FAILURE); } I don't know the rationale behind it, but since /0 is not a syntactically invalid prefix it's probably better to describe it explicitly, if the restriction is intentional and especially if this document seeks for wider interoperability among multiple implementations. Furthermore, if the intent is to avoid accidentally apply a policy to too broad addresses, some other shorter prefixes (e.g., /1) may also need a similar consideration. - Section 4.1.1 As in [RFC5952], in order to avoid confusion with octal notation, leading zeroes MUST be suppressed. This reads awkward or confusing to me. First, it could read as if RFC5942 suppresses leading zeros to avoid confusion with octal notation, but as far as I understand it that's not the reason (it's basically just to provide unique and consistent representations.) Second, unlike the case of IPv4 addresses, not all hex block can this confusion; if avoiding the confusion were the reason, there should be no reason for banning '0db8' instead of 'db8'. So I suggest: As in [RFC5952], in order to make the representation unique, leading zeroes MUST be suppressed. - Section 4.2 To control the policy for both a name and its subdomains, two policy RRsets must be used, one for the domain itself and another for a wildcard subdomain. IMO this part of the spec is one of the reasons why abusing zone data to represent filtering policies is not good. I guess (and I know that's actually the case in some real world deployments) in many cases we want to apply the same policy to both 'example.com' and '*.example.com'. So this spec can easily lead to wasting memory for straightforward implementations. Although an implementation could employ an internal compression scheme to save memory, it seems to me to make much more sense to design the spec so a straightforward implementation would just work without a waste in the first place. Following the standard DNS protocol can also result in counter-intuitive results. For example, if you have the following policy records: example.com CNAME . *.example.com CNAME . a.b.example.com AAAA 2001:db8::1 then no policy will apply to a query for b.example.com./AAAA or c.a.b.example.com./AAAA (or other query types than AAAA for that matter). That would be quite likely to be different from what the admin of this config intends to implement (the most likely intended policy would be to return NXDOMAIN for everything on and under example.com except for a.b.example.com./AAAA). We might say an admin of RPZ should be very familiar with all the subtlety of the DNS protocol details like this one, but to me this seems to be another case for designing a better spec at this opportunity. - Section 4.4 Recall also that the target of a CNAME is not added to the response if the QTYPE is ANY Is this guaranteed by a protocol standard? Or is this a requirement to RPZ implementations? (If it's the latter while the former isn't explicitly guaranteed, then I think the current draft should be clearer about it). - Section 5.2 Matches on rules in an RPZ specified earlier in the ordered list of RPZs take precedence over matches on rules in an RPZ specified later. I may miss something, but the concept of "ordered list of RPZs" isn't explicitly described elsewhere (at least earlier) in the draft. I think it should be explicitly documented as part of assumptions. - Section 5.6 When comparing two Response IP Address matches or two NSIP matches on rules within a single RPZ, choose the match whose rule trigger has the longest "internal prefix length". [...] For an IPv4 address trigger, the internal prefix length is the numeric value of its first label plus 96 (that is, 128-32). Does this apply when a response to type ANY query contains both AAAA and A RRsets, i.e., choose the IPv6 or IPv4 address that has the longest internal prefix length among all AAAA and A RRsets? If so, (I think it's better to clarify that explicitly and) it means IPv4 prefixes would tend to be preferred even if they are effectively very short. For example, a /8 (whose internal plen is 104) IPv4 prefix will be preferred over a /64 IPv6 prefix. Depending on the rationale of this precedence it may or may not be ideal (if it's just for making it deterministic it's okay, but if it tries to prefer more specific prefixes then it's probably not). - Section 5.7 The three addresses above are compared as these 128-bit hexadecimal numbers, respectively: 0x000000000000000000000000c0000200, 0x000000000000000000000000c0000280, and 0x20010db80000000000000000c0000280. Thus, the first IPv4 address is most preferred and the IPv6 address is least preferred. The latter part of the previous comment applies here; with this logic IPv4 prefixes will be generally preferred over IPv6 prefixes (when the internal plen is identical) since in practice most IPv6 addresses contain non-0 bits in the first 96-bit part. - Section 6 RPZ rules do not apply to synthetic data generated by using RPZ rules. For example, if RPZ supplies a CNAME pointing to a walled garden, RPZ policies will not be used while following that CNAME. Consider the following policy record: a.example.com CNAME garden.example.org. and assume following the CNAME target results in the chain as follows: garden.example.org. CNAME a.example.com. a.example.com. AAAA 2001:db8::1 Then should this server includes these two RRs as well as the first CNAME in the answer? If so, it would result in "CNAME and other type for the same name" and violate the protocol standard (forgetting RPZ violates the standard anyway). Is it okay? - Section 6.1 For each DNS RPZ configured for use by a recursive name server, it SHOULD be possible to specify a single, OPTIONAL overriding policy action to be used for all policy triggers found in that RPZ. I'd suggest explaining what "override" means in a bit more detail. I know what it means from the actual behavior of existing implementations, but I'm not sure if this is clear enough just from this text. Also, I'm not really sure for what this overriding is useful except DISABLED (for which the draft explains its possible purpose). Some more background motivation would be helpful for readers and for implementers who will end up supporting these SHOULDs. - Section 7 Because minimal data latency is critical both to the prevention of crime and abuse and to the withdrawal of erroneous or outdated policy, a DNS RPZ producer SHOULD also make every effort to minimize data latency, including ensuring that NOTIFY messages are sent in a timely manner after each change of the DNS RPZ on the master server. I'd note that this is another case why abusing DNS zone data wouldn't be a good choice: notifies are unreliable and often delayed (if for a short period). - Section 9 (or regarding NSDNAME and NSIP in general) RPZ checks can add significant processing and network costs to the processing of recursive DNS requests. This is particularly true of rules with NSDNAME and NSIP triggers. [...] I wonder how widely these triggers are used. My personal experiences are of course very limited, but none of the large scale RPZ deployments I know of uses these triggers. On the other hand the implementation of these would be quite complicated and error prone in addition to the performance overhead described in the draft text, and, in fact, the support for these triggers certainly makes the BIND 9's RPZ implementation even more unreadable. So, depending on the actual deployment status, we might want to make these triggers optional or even excluded from a spec aiming to be a base of broader interoperability. -- JINMEI, Tatuya
- [DNSOP] comments on draft-vixie-dns-rpz-04 神明達哉
- Re: [DNSOP] comments on draft-vixie-dns-rpz-04 Vernon Schryver