Re: [DNSOP] draft-ietf-dnsop-dns-rpz

Vernon Schryver <vjs@rhyolite.com> Fri, 06 October 2017 16:39 UTC

Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875B3134A72 for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2017 09:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A754z5-iylqe for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2017 09:39:03 -0700 (PDT)
Received: from calcite.rhyolite.com (calcite-v6.rhyolite.com [IPv6:2001:470:4b:581::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A73134A7C for <dnsop@ietf.org>; Fri, 6 Oct 2017 09:38:56 -0700 (PDT)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id v96Gclfb082321 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Fri, 6 Oct 2017 16:38:47 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id v96Gckki082320 for dnsop@ietf.org; Fri, 6 Oct 2017 16:38:46 GMT
Date: Fri, 6 Oct 2017 16:38:46 GMT
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201710061638.v96Gckki082320@calcite.rhyolite.com>
To: dnsop@ietf.org
In-Reply-To: <fbd50d63-7669-ebc6-1b58-ddab42259418@nic.cz>
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kUMdb_mv0AY54Ui3paFmPFqlRJY>
Subject: Re: [DNSOP] draft-ietf-dnsop-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2017 16:39:05 -0000

> From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>

> The current very limited implementation of RPZ in knot-resolver [1] is
> done via a couple dozen lines of lua code, i.e. only JIT-compiled.  The
> approach might remain similar, perhaps a bit more modularized, but in
> any case I expect it would be included by default, so I wouldn't fear
> about users having to recompile.
>
> [1]
> https://gitlab.labs.nic.cz/knot/knot-resolver/blob/v1.4.0/modules/policy/policy.lua#L294

I wish I wouldn't offend people when I point out that a mechanism
that uses local zone files is not a very limited response policy
zone implementation.  Such things might be far better than real
"rpz", but they're not "rpz".  (I can make a case for them being
better although I don't buy it, perhaps because I'm biased.)

Overwriting public DNS data triggered by qnames has always been trivial,
but that is not "rpz."  Simply fire up a local authority server with
your own "DNS lies" and point your resolvers to it, perhaps with custom
"hints" files.  If you're running combined authority/resolver code
such as BIND, simply add some local zone files.  But such ad hoc
authority server schemes as well as the new so called "rpz" schemes
of adding local zone files to resolvers the lack features that motiviated
the original implementation of real RPZ including:

  - distributed policy zones, including from external organizations
      This sounds minor, but it is major.  It's related to why so few
      organizations maintain their own anti-spam DNS blacklists. 
      You could use FTP, rsync, HTTP, etc. and a cron job, but in
      practice you won't.  And if you did, it updates would have
      latencies of hours or days instead of seconds with real RPZ.

  - dynamically combine policy from multiple sources
      In theory this could be done with some perl, awk, or even
      Bourne shell code, but not in practice at scale.

  - policies triggered by the contents of A and AAAA responses or by
         the names or IP addresses of authorities
      The bad guys can and do register new domains faster than you can
      update your local blacklist, faster than they can hijack new IP
      addresses for those new domains, and faster than they'd like to
      establish new authorities serving those new domains.

  - no need to restart the resolver to reload the zone
      This not only minimizes end user disruption when the zones
      are reloaded but allows organization-wide policy changes with
      latencies measured in seconds.

In other words, hacking local zone file qname overrides into a
resolver is not hard (including CNAME and DNAME chains).  The horrid
code involves triggering on A or AAAA contents and authority names
and addresses...well there're also SOA timers, IXFR, AXFR, Notify,
and TSIG, but that code is less horrid than voluminous.

Please don't misunderstand me as saying no one else can or should
write real RPZ code.  Many people could and I really wish they
would.  That's why I spent a lot effort outside my comfort zone on
the I-D.  What bugs me are implementations of so called RPZ and RRL
that share only the acronyms with the BIND stuff.


Vernon Schryver    vjs@rhyolite.com