Re: [DNSOP] draft-ietf-dnsop-dns-rpz
Vernon Schryver <vjs@rhyolite.com> Fri, 06 October 2017 16:39 UTC
Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875B3134A72 for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2017 09:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A754z5-iylqe for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2017 09:39:03 -0700 (PDT)
Received: from calcite.rhyolite.com (calcite-v6.rhyolite.com [IPv6:2001:470:4b:581::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A73134A7C for <dnsop@ietf.org>; Fri, 6 Oct 2017 09:38:56 -0700 (PDT)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id v96Gclfb082321 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Fri, 6 Oct 2017 16:38:47 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id v96Gckki082320 for dnsop@ietf.org; Fri, 6 Oct 2017 16:38:46 GMT
Date: Fri, 06 Oct 2017 16:38:46 +0000
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201710061638.v96Gckki082320@calcite.rhyolite.com>
To: dnsop@ietf.org
In-Reply-To: <fbd50d63-7669-ebc6-1b58-ddab42259418@nic.cz>
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kUMdb_mv0AY54Ui3paFmPFqlRJY>
Subject: Re: [DNSOP] draft-ietf-dnsop-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2017 16:39:05 -0000
> From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz> > The current very limited implementation of RPZ in knot-resolver [1] is > done via a couple dozen lines of lua code, i.e. only JIT-compiled. The > approach might remain similar, perhaps a bit more modularized, but in > any case I expect it would be included by default, so I wouldn't fear > about users having to recompile. > > [1] > https://gitlab.labs.nic.cz/knot/knot-resolver/blob/v1.4.0/modules/policy/policy.lua#L294 I wish I wouldn't offend people when I point out that a mechanism that uses local zone files is not a very limited response policy zone implementation. Such things might be far better than real "rpz", but they're not "rpz". (I can make a case for them being better although I don't buy it, perhaps because I'm biased.) Overwriting public DNS data triggered by qnames has always been trivial, but that is not "rpz." Simply fire up a local authority server with your own "DNS lies" and point your resolvers to it, perhaps with custom "hints" files. If you're running combined authority/resolver code such as BIND, simply add some local zone files. But such ad hoc authority server schemes as well as the new so called "rpz" schemes of adding local zone files to resolvers the lack features that motiviated the original implementation of real RPZ including: - distributed policy zones, including from external organizations This sounds minor, but it is major. It's related to why so few organizations maintain their own anti-spam DNS blacklists. You could use FTP, rsync, HTTP, etc. and a cron job, but in practice you won't. And if you did, it updates would have latencies of hours or days instead of seconds with real RPZ. - dynamically combine policy from multiple sources In theory this could be done with some perl, awk, or even Bourne shell code, but not in practice at scale. - policies triggered by the contents of A and AAAA responses or by the names or IP addresses of authorities The bad guys can and do register new domains faster than you can update your local blacklist, faster than they can hijack new IP addresses for those new domains, and faster than they'd like to establish new authorities serving those new domains. - no need to restart the resolver to reload the zone This not only minimizes end user disruption when the zones are reloaded but allows organization-wide policy changes with latencies measured in seconds. In other words, hacking local zone file qname overrides into a resolver is not hard (including CNAME and DNAME chains). The horrid code involves triggering on A or AAAA contents and authority names and addresses...well there're also SOA timers, IXFR, AXFR, Notify, and TSIG, but that code is less horrid than voluminous. Please don't misunderstand me as saying no one else can or should write real RPZ code. Many people could and I really wish they would. That's why I spent a lot effort outside my comfort zone on the I-D. What bugs me are implementations of so called RPZ and RRL that share only the acronyms with the BIND stuff. Vernon Schryver vjs@rhyolite.com
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Suzanne Woolf
- [DNSOP] draft-ietf-dnsop-dns-rpz Suzanne Woolf
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Ted Lemon
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Petr Špaček
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Suzanne Woolf
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Ted Lemon
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Paul Wouters
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz avri doria
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Peter van Dijk
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz John Levine
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Petr Špaček
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Mukund Sivaraman
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Vernon Schryver
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Vladimír Čunát
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Paul Vixie
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Vernon Schryver
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Marek Vavruša
- Re: [DNSOP] draft-ietf-dnsop-dns-rpz Vernon Schryver