IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt

Scott Morizot <tmorizot@gmail.com> Wed, 21 December 2016 16:17 UTC

Return-Path: <tmorizot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A6B41294AD for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 08:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FG2b1onBeCdc for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620C21293D9 for <dnsop@ietf.org>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id g23so26894539wme.1 for <dnsop@ietf.org>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O5FFJc5JwtJHEyYex1LuoqlJg1pJ0OW+wLMmgpmHpIQ=; b=sJIGD3H8VtXlXRJGgCgyuZbcqHjP2bD4BT6ITG8VlFlpjJBKX/3++yfT3bZ18EjkGp qV4Ukcr9leJuylkF/QkLPHNYdLUaOkBGtdp3m8Ir6nR8K323SIA0bRx03sDT/qxVZHMX lESugajFozUdnaTLj6bTtCcPs499n3Mehmu2J+eVKqX9ZK2vdOLP8dO2iq2DCq50JInT 4EtjKe0pY1eRvHLdBtfsEbuyEZknBDzMoc1aQ83VxGXLjT4l0cD51k+Y3W07jBrWuwoW acduWh36CfDHkCyOxlfYEXauJHMl5K3hP4WF+ljGTm4gc+el+bOrJKpAzAPhXIFnylGv tOpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O5FFJc5JwtJHEyYex1LuoqlJg1pJ0OW+wLMmgpmHpIQ=; b=Y+zl7gtCQ7n6bVob5Udh9qvHTXg+6l7ztWui0hxI7TqFuPmsuHT2XIRZ76hnKroGcA jaQGTp28TmXmqb+hgDo+5kTnqGi7mdsOlpylfDwo/CWTI5spYVtqfPiXY47krnbNnyGg u2seohCE4pOaOE+AgYTijJiZfpLfnlydUESCmVxPWTJCuoYTKpmzPXs61o7iST/ex20Y gi06YhbzvU8Wp9EMmZC32zSXUF6JSsP+wlw+SK0yAf46qyfCt9oWkJDePxHyLhs4wvlg N2mQNFGN9uN3j5O417DkMX1K4ARY0xtYL+G7NqVbOFt83JkJlfsFkyHbAktfCteGEkQq q3Wg==
X-Gm-Message-State: AIkVDXIcGlROD5U32R5r+9KdTuVDLn47veE6DHwwpiwaT5xng3Q+t9d1n9PGSRgkV2fTf2LWMGnzSo0SQPFMew==
X-Received: by 10.28.22.193 with SMTP id 184mr5692085wmw.100.1482337060796; Wed, 21 Dec 2016 08:17:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.42.38 with HTTP; Wed, 21 Dec 2016 08:17:39 -0800 (PST)
In-Reply-To: <987B1C64-B85D-4316-8DE8-27D4A4AB8F9A@fugue.com>
References: <20161218224231.GB16301@odin.ulthar.us> <201612191535.uBJFZh7w091898@calcite.rhyolite.com> <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com> <CACfw2hg_8nT_b6Syc1-wk_O92mzW0Zo0wX5xgMp5uhhu0Vom9A@mail.gmail.com> <987B1C64-B85D-4316-8DE8-27D4A4AB8F9A@fugue.com>
From: Scott Morizot <tmorizot@gmail.com>
Date: Wed, 21 Dec 2016 10:17:39 -0600
Message-ID: <CAFy81rnu6xSmFSR3xEYAdb7xK+rMC788Li1VAdwKfxKNa9T2dQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="001a1145aebcf264f405442d7de5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fawXem3MBYkE3WQ40jTHV-60Mh8>
Cc: Vernon Schryver <vjs@rhyolite.com>, dnsop <dnsop@ietf.org>, william manning <chinese.apricot@gmail.com>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 16:17:45 -0000

Speaking as a large enterprise operator (over 100,000 employees and
contractors at over 600 sites as well as a significant public Internet
presence) that has DNSSEC signed all public zones, the majority of internal
zones, and has DNSSEC validation enabled at all levels throughout our
recursive DNS infrastructure (not just at our Internet access layer) and
which also employs RPZ based protections, I don't see a lot of overlap in
the threats against which each protect. The primary DNS based threats about
which we are concerned when it comes to RPZ are the vectors that utilize
malicious authoritative DNS zones for botnet command & control and data
exfiltration. In those scenarios especially, we do not even want the query
leaving the enterprise as the queries themselves are often the payload. (We
are also planning to use our own RPZ zones in addition to our current
subscription feeds to block malicious domains not in the feed when
identified. And we are looking at mechanisms to perhaps automatically
detect particular malicious query traffic patterns, especially those
associated with data exfiltration.) If a malicious zone is DNSSEC signed,
BOGUS validation of the RPZ responses by other internal validating
recursive nameservers, stub resolvers, or applications is perfectly
acceptable. Either way, the query is stopped from going out, which is a
primary goal. There's nothing that stops an operator for a malicious
authoritative zone from properly DNSSEC signing their authoritative zone.
The traffic itself would still be malicious. RPZ is widely used because
there isn't really another mechanism that effectively addresses that
specific attack vector.

Virtually every protocol standardized by the IETF either has been abused by
malicious actors or has the potential for abuse. Yes, if an authoritarian
nation state has the ability to restrict its citizens to state operated
recursive nameservers, then RPZ gives them another tool they can use to
forge responses. But such nation states were forging responses long before
RPZ existed. In such an environment, they have considerable ability to
abuse any protocol.

If the IETF has any ideas on ways to improve RPZ to better protect against
those DNS attack vectors in particular while reducing the potential for
abuse or if anyone has a proposal for an alternative standard, I doubt
those of us in the community that actually rely on it now would object. It
would be helpful if there were an agreed reference standard for
interoperability, but absent anything else that addresses the need, we'll
keep using the tool we have. As an operator, dnsop certainly looks like the
appropriate IETF working group for this draft. I'm not sure I understand
the rationale behind Informational as opposed to Proposed Standard, but if
the IETF wishes to have any input on the mechanism, this would seem to be
the place to discuss it. I'm in favor of adopting it as a working group
draft.

Scott Morizot


On Wed, Dec 21, 2016 at 8:54 AM, Ted Lemon <mellon@fugue.com> wrote:

> William, I think the exit strategy for RPZ is DNSSEC.   We really need to
> figure out how to get people to be able to reliably and safely set up
> DNSSEC.   Despite Olaf’s excellent documents, we don’t really have that
> yet.   I don’t think that operating DNSSEC should be as scary as it is, but
> right now all the IETF advice on this topic is too general, requiring the
> installer to make decisions about their setup that the average IT person
> doesn’t know how to make.
>
> We should have a document that says "look, if you don’t know any better,
> here is a way to set up DNSSEC that will make your users more secure than
> they are without it, and that will not blow up in your face (assuming you
> do it)."   I’ve seen a few documents like that, but nothing out of the
> IETF; they are generally on someone’s personal web site, and don’t see wide
> distribution.
>
> I think we need to stop thinking that there will be some shining day when
> the Internet is a safe place.  The internet is an ecosystem, and ecosystems
> have predators and parasites.   We may not like it, it may violate our
> ideals, but it is reality, and denying reality doesn’t make it go away.
>  What we should be doing is thinking like gardeners, not like machinists.
> Gardeners sometimes have to use methods for dealing with pests that allow
> us to have yummy food but aren’t so good for the pests.   The same is true
> with the Internet.
>
> (FWIW, I’m in favor of adoption, for precisely this reason.)
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email