Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
Scott Morizot <tmorizot@gmail.com> Wed, 21 December 2016 16:17 UTC
Return-Path: <tmorizot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A6B41294AD for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 08:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FG2b1onBeCdc for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 620C21293D9 for <dnsop@ietf.org>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id g23so26894539wme.1 for <dnsop@ietf.org>; Wed, 21 Dec 2016 08:17:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=O5FFJc5JwtJHEyYex1LuoqlJg1pJ0OW+wLMmgpmHpIQ=; b=sJIGD3H8VtXlXRJGgCgyuZbcqHjP2bD4BT6ITG8VlFlpjJBKX/3++yfT3bZ18EjkGp qV4Ukcr9leJuylkF/QkLPHNYdLUaOkBGtdp3m8Ir6nR8K323SIA0bRx03sDT/qxVZHMX lESugajFozUdnaTLj6bTtCcPs499n3Mehmu2J+eVKqX9ZK2vdOLP8dO2iq2DCq50JInT 4EtjKe0pY1eRvHLdBtfsEbuyEZknBDzMoc1aQ83VxGXLjT4l0cD51k+Y3W07jBrWuwoW acduWh36CfDHkCyOxlfYEXauJHMl5K3hP4WF+ljGTm4gc+el+bOrJKpAzAPhXIFnylGv tOpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=O5FFJc5JwtJHEyYex1LuoqlJg1pJ0OW+wLMmgpmHpIQ=; b=Y+zl7gtCQ7n6bVob5Udh9qvHTXg+6l7ztWui0hxI7TqFuPmsuHT2XIRZ76hnKroGcA jaQGTp28TmXmqb+hgDo+5kTnqGi7mdsOlpylfDwo/CWTI5spYVtqfPiXY47krnbNnyGg u2seohCE4pOaOE+AgYTijJiZfpLfnlydUESCmVxPWTJCuoYTKpmzPXs61o7iST/ex20Y gi06YhbzvU8Wp9EMmZC32zSXUF6JSsP+wlw+SK0yAf46qyfCt9oWkJDePxHyLhs4wvlg N2mQNFGN9uN3j5O417DkMX1K4ARY0xtYL+G7NqVbOFt83JkJlfsFkyHbAktfCteGEkQq q3Wg==
X-Gm-Message-State: AIkVDXIcGlROD5U32R5r+9KdTuVDLn47veE6DHwwpiwaT5xng3Q+t9d1n9PGSRgkV2fTf2LWMGnzSo0SQPFMew==
X-Received: by 10.28.22.193 with SMTP id 184mr5692085wmw.100.1482337060796; Wed, 21 Dec 2016 08:17:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.42.38 with HTTP; Wed, 21 Dec 2016 08:17:39 -0800 (PST)
In-Reply-To: <987B1C64-B85D-4316-8DE8-27D4A4AB8F9A@fugue.com>
References: <20161218224231.GB16301@odin.ulthar.us> <201612191535.uBJFZh7w091898@calcite.rhyolite.com> <CACfw2hhFLdFgspse7-L8UxCLCCu_g=GYEybOWVZ5xPkMu0YduQ@mail.gmail.com> <CACfw2hg_8nT_b6Syc1-wk_O92mzW0Zo0wX5xgMp5uhhu0Vom9A@mail.gmail.com> <987B1C64-B85D-4316-8DE8-27D4A4AB8F9A@fugue.com>
From: Scott Morizot <tmorizot@gmail.com>
Date: Wed, 21 Dec 2016 10:17:39 -0600
Message-ID: <CAFy81rnu6xSmFSR3xEYAdb7xK+rMC788Li1VAdwKfxKNa9T2dQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="001a1145aebcf264f405442d7de5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fawXem3MBYkE3WQ40jTHV-60Mh8>
Cc: Vernon Schryver <vjs@rhyolite.com>, dnsop <dnsop@ietf.org>, william manning <chinese.apricot@gmail.com>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 16:17:45 -0000
Speaking as a large enterprise operator (over 100,000 employees and contractors at over 600 sites as well as a significant public Internet presence) that has DNSSEC signed all public zones, the majority of internal zones, and has DNSSEC validation enabled at all levels throughout our recursive DNS infrastructure (not just at our Internet access layer) and which also employs RPZ based protections, I don't see a lot of overlap in the threats against which each protect. The primary DNS based threats about which we are concerned when it comes to RPZ are the vectors that utilize malicious authoritative DNS zones for botnet command & control and data exfiltration. In those scenarios especially, we do not even want the query leaving the enterprise as the queries themselves are often the payload. (We are also planning to use our own RPZ zones in addition to our current subscription feeds to block malicious domains not in the feed when identified. And we are looking at mechanisms to perhaps automatically detect particular malicious query traffic patterns, especially those associated with data exfiltration.) If a malicious zone is DNSSEC signed, BOGUS validation of the RPZ responses by other internal validating recursive nameservers, stub resolvers, or applications is perfectly acceptable. Either way, the query is stopped from going out, which is a primary goal. There's nothing that stops an operator for a malicious authoritative zone from properly DNSSEC signing their authoritative zone. The traffic itself would still be malicious. RPZ is widely used because there isn't really another mechanism that effectively addresses that specific attack vector. Virtually every protocol standardized by the IETF either has been abused by malicious actors or has the potential for abuse. Yes, if an authoritarian nation state has the ability to restrict its citizens to state operated recursive nameservers, then RPZ gives them another tool they can use to forge responses. But such nation states were forging responses long before RPZ existed. In such an environment, they have considerable ability to abuse any protocol. If the IETF has any ideas on ways to improve RPZ to better protect against those DNS attack vectors in particular while reducing the potential for abuse or if anyone has a proposal for an alternative standard, I doubt those of us in the community that actually rely on it now would object. It would be helpful if there were an agreed reference standard for interoperability, but absent anything else that addresses the need, we'll keep using the tool we have. As an operator, dnsop certainly looks like the appropriate IETF working group for this draft. I'm not sure I understand the rationale behind Informational as opposed to Proposed Standard, but if the IETF wishes to have any input on the mechanism, this would seem to be the place to discuss it. I'm in favor of adopting it as a working group draft. Scott Morizot On Wed, Dec 21, 2016 at 8:54 AM, Ted Lemon <mellon@fugue.com> wrote: > William, I think the exit strategy for RPZ is DNSSEC. We really need to > figure out how to get people to be able to reliably and safely set up > DNSSEC. Despite Olaf’s excellent documents, we don’t really have that > yet. I don’t think that operating DNSSEC should be as scary as it is, but > right now all the IETF advice on this topic is too general, requiring the > installer to make decisions about their setup that the average IT person > doesn’t know how to make. > > We should have a document that says "look, if you don’t know any better, > here is a way to set up DNSSEC that will make your users more secure than > they are without it, and that will not blow up in your face (assuming you > do it)." I’ve seen a few documents like that, but nothing out of the > IETF; they are generally on someone’s personal web site, and don’t see wide > distribution. > > I think we need to stop thinking that there will be some shining day when > the Internet is a safe place. The internet is an ecosystem, and ecosystems > have predators and parasites. We may not like it, it may violate our > ideals, but it is reality, and denying reality doesn’t make it go away. > What we should be doing is thinking like gardeners, not like machinists. > Gardeners sometimes have to use methods for dealing with pests that allow > us to have yummy food but aren’t so good for the pests. The same is true > with the Internet. > > (FWIW, I’m in favor of adoption, for precisely this reason.) > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad