IETF Logo Mail Archive

Re: [DNSOP] adoption mechanics and disclaimers wrt dns-rpz

Paul Vixie <vixie@fsi.io> Mon, 20 March 2017 00:06 UTC

Return-Path: <vixie@fsi.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD41F129435 for <dnsop@ietfa.amsl.com>; Sun, 19 Mar 2017 17:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fsi.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPx5ISJstGsQ for <dnsop@ietfa.amsl.com>; Sun, 19 Mar 2017 17:06:55 -0700 (PDT)
Received: from hq.fsi.io (hq.fsi.io [IPv6:2620:11c:f004::96]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FECB129415 for <dnsop@ietf.org>; Sun, 19 Mar 2017 17:06:55 -0700 (PDT)
Received: from localhost (ip6-localhost [IPv6:::1]) by hq.fsi.io (Postfix) with ESMTP id 2E34E805E00 for <dnsop@ietf.org>; Mon, 20 Mar 2017 00:06:55 +0000 (UTC)
Received: from hq.fsi.io ([IPv6:::1]) by localhost (hq.fsi.io [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id Z5MjLeUU4NEn; Mon, 20 Mar 2017 00:06:53 +0000 (UTC)
Received: from localhost (ip6-localhost [IPv6:::1]) by hq.fsi.io (Postfix) with ESMTP id DCEBB31361C; Mon, 20 Mar 2017 00:06:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.0 hq.fsi.io DCEBB31361C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fsi.io; s=9DB368E8-E20A-11E2-82F0-24FC3FFE5E89; t=1489968412; bh=AgBSoIh5BhCrEwWQBj30BhyFLWZVWFIshYEILjqOevw=; h=From:To:Subject:Date:Message-ID:MIME-Version: Content-Transfer-Encoding:Content-Type; b=yFA+tbzbdEFtPVhcX1Y+ecVdW8OyFm3uofuOfkLyHGZj4BY/fuFzLUG3uwnnHIXdP cU1KE/ryI/XXRqYDoM9JDL+8FZBJrsagpRj3BzA5QzB6jSly7KkyUrmX7toL4mlsK4 pTH6qLuZpURTCiliBcgbJRE73Wiw64NjwdrZ5JCs=
X-Virus-Scanned: amavisd-new at fsi.io
Received: from hq.fsi.io ([IPv6:::1]) by localhost (hq.fsi.io [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id H7O-Se_wqL1N; Mon, 20 Mar 2017 00:06:52 +0000 (UTC)
Received: from linux-hs2j.localnet (dhcp-148.access.lah1.vix.su [24.104.150.148]) by hq.fsi.io (Postfix) with ESMTPSA id 5F15430FB21; Mon, 20 Mar 2017 00:06:51 +0000 (UTC)
From: Paul Vixie <vixie@fsi.io>
To: DNSOP <dnsop@ietf.org>
Date: Mon, 20 Mar 2017 00:06:49 +0000
Message-ID: <1634279.49NKbZ46cN@linux-hs2j>
Organization: Farsight Security, Inc.
In-Reply-To: <2232822.T0nP9Ksjf9@linux-hs2j>
References: <2232822.T0nP9Ksjf9@linux-hs2j>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mWUPVdE8UiboSWsanh3h6NQEcvQ>
Subject: Re: [DNSOP] adoption mechanics and disclaimers wrt dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 00:06:57 -0000

fwiw, here is the text of an RPZ brief provided to the ICANN TEG in the recent 
copenhagen meeting. the text was edited by me, and all errors or omissions are 
mine:

> What are Response Policy Zones (RPZ)?
> 
> A Response Policy Zone (RPZ) is a way to convey DNS resolution policy
> from a security provider to a security customer. The RPZ format can
> identify DNS content by name, or by name server, or by resulting IP
> address; and it can be used to prevent a DNS resolver from reaching the
> DNS content in question, either fully, or indirectly via a honeypot or
> walled garden. Like all so-called "DNS firewalls", the use of RPZ is
> optional, and must be seen by its customers as a value-add, or else it
> will not be used. RPZ was originally prototyped in the ISC BIND9 name
> server, but has since become generally available.
> 
> Fundamentally, an RPZ is a set of rules that directs a recursive name
> server how to act if the answer to a query it resolves matches one of
> the rules in the RPZ. There are different kinds of matches that cause
> the recursive server to take different actions when a match occurs.
> The overall goal of an RPZ is to avoid interacting with certain domains,
> name server, or DNS results such as IP addresses depending on the purpose
> or policy associated with the RPZ. For example, an RPZ could implement
> a policy against visiting malicious domains (such as malware sites,
> phishing sites, etc.) to protect users.
> 
> An ingenious feature of RPZ is that the policy rules themselves are
> actually encoded as standard DNS resource records in a standard DNS zone
> (hence the word "zone" in the name). Since RPZs are normal DNS zones, they
> can be easily distributed using the standard DNS zone transfer protocol,
> which moves a DNS zone from one name server to another. In the typical
> configuration, a recursive name server operating wanting to implement a
> particular policy "subscribes" to a particular RPZ offered by their own
> security team or by an external security provider. The recursive server
> obtains the RPZ using a standard DNS zone transfer from an authoritative
> server operated by the provider. Notably, the RPZ information is not
> intended for direct lookup or consumption by users. Rather, a recursive
> server internally looks up record-sets in an RPZ to direct how it should
> deal with responses it receives during its normal resolution process.
> 
> To offer a specific example, Farsight Security offers an RPZ that
> contains newly observed domains. The theory behind this particular RPZ
> is that phishing sites and malware often use newly registered domains,
> since these domains have a very low probability of already being tagged as
> malicious in various security intelligence services. Once configured with
> this RPZ, a recursive server will effectively refuse to resolve any newly
> observed domains until an incubation period has passed, ensuring that
> users of that recursive server will be protected from these new sites
> long enough to give other reputation services, and takedown services,
> enough time to complete their work. Any connotation of "dangerous" with
> "newly observed" would have to exist in the eye of the resolver operator,
> and is purely subjective.
> 
> Recursive name server implementations that offer RPZ support include
> BIND 9 (Internet Software Consortium), Knot Resolver (cz.nic), PowerDNS
> Recursor (PowerDNS), and FastRPZ (a product of Farsight Security
> that operates with ISC BIND9 and NLNetLabs Unbound).  About a dozen
> RPZ-format security feeds are currently available, some commercial,
> some free. The list of implementations and providers can be found at
> https://dnsrpz.info/.

v2.23.0 | Report a Bug | By Email