Re: [DNSOP] proposal: Covert in-band zone data
Paul Ebersman <list-dnsop@dragon.net> Tue, 30 July 2019 20:16 UTC
Return-Path: <list-dnsop@dragon.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890DA120024 for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2019 13:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzUi_xqzV0lu for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2019 13:16:30 -0700 (PDT)
Received: from mail.dragon.net (mail.dragon.net [IPv6:2001:4f8:3:36::235]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FE012001A for <dnsop@ietf.org>; Tue, 30 Jul 2019 13:16:29 -0700 (PDT)
Received: from fafnir.remote.dragon.net (localhost [IPv6:::1]) by mail.dragon.net (Postfix) with ESMTP id 59D8737402E6; Tue, 30 Jul 2019 13:16:28 -0700 (PDT)
Received: by fafnir.remote.dragon.net (Postfix, from userid 501) id 1496015E6BFA; Tue, 30 Jul 2019 14:16:28 -0600 (MDT)
Received: from fafnir.local (localhost [127.0.0.1]) by fafnir.remote.dragon.net (Postfix) with ESMTP id 105A115E6BF9; Tue, 30 Jul 2019 14:16:28 -0600 (MDT)
From: Paul Ebersman <list-dnsop@dragon.net>
To: Dan Mahoney <dmahoney@isc.org>
cc: dnsop@ietf.org
In-reply-to: <alpine.BSF.2.21.9999.1907302009500.7062@bikeshed.isc.org>
References: <20190706213024.GA56650@isc.org> <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org> <CAN6NTqymm6+OMet0sMZC0Ms5E_5mj_nwONk3fR19HwgWXYNB4Q@mail.gmail.com> <alpine.LRH.2.21.1907251332070.10708@bofh.nohats.ca> <20190725183051.33DA315BFD9D@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907301916050.7062@bikeshed.isc.org> <20190730200859.A424215E6AD4@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907302009500.7062@bikeshed.isc.org>
Comments: In-reply-to Dan Mahoney <dmahoney@isc.org> message dated "Tue, 30 Jul 2019 20:11:36 -0000."
X-Mailer: MH-E 7.4.2; nmh 1.7.1; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <62587.1564517787.1@fafnir.local>
Date: Tue, 30 Jul 2019 14:16:27 -0600
Message-Id: <20190730201628.1496015E6BFA@fafnir.remote.dragon.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fcFtE8n3LVu7aFSLKDFUYDlK_rs>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:16:35 -0000
ebersman> Actually, I think this moves your goal nicely. If we could ebersman> have things marked as "not zone data, sensitive" and dealt ebersman> with only over a covert channel after various auth/acl checks ebersman> are done, it would be easy enough to have metadata that won't ebersman> leak. ebersman> Then we define some of these things we consider ebersman> "private"/non-zone. dmahoney> I also envision the "presentation format" looking like a dmahoney> regular comment so non-compatible implementations that tried dmahoney> to load a zone with these simply ignored them as they do dmahoney> regular comments. Similar, perhaps to how server-side dmahoney> includes work in the web world. ebersman> Legacy/non-compatible would fall out because they wouldn't ebersman> ever see this because they'd fail whatever auth/negotiation ebersman> was necessary to believe that sending covert/metadata was OK ebersman> and they'd never get it. dmahoney> Right, my argument was more in the case of the "without dmahoney> covert". I.e. you've dumped your zone on bind and loaded it dmahoney> into NSD. On disk, not wire. If what you're arguing for is something that's actually mixed into the zone data, how do you handle non-compatible/legacy and avoid leakage? Doing it as separate meta-data not part of the zone data and not needing to be DNS wire format solves that but, again, without some covert or non-AXFR transfer method, how do you get it around? If you don't care about backward compatibility, this is a more easily solvable problem.
- [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Brian Dickson
- Re: [DNSOP] proposal: Covert in-band zone data Richard Gibson
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Bill Woodcock
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data jabley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Tony Finch
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Matthew Pounsett
- Re: [DNSOP] proposal: Covert in-band zone data Samuel Weiler
- Re: [DNSOP] proposal: Covert in-band zone data Ólafur Guðmundsson
- Re: [DNSOP] proposal: Covert in-band zone data Paul Wouters
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Tim Wattenberg
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Mark Andrews
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data JW λ John Woodworth