Re: [DNSOP] draft-ietf-dnsop-dnssec-roadblock-avoidance & support for local DNS views

[Petr Spacek <pspacek@redhat.com>]

On 26.6.2015 22:45, Olafur Gudmundsson wrote:
>> On Feb 11, 2015, at 11:24 AM, Petr Spacek <pspacek@redhat.com> wrote:
[...]
>> Few guys in Red Hat proposed "hacky but almost-reliable automatic" way how to
>> improve usability without sacrificing security.
>>
>>
>> Disclaimer
>> ==========
>> Method described below is covered by US patent application named "USING DOMAIN
>> NAME SYSTEM SECURITY EXTENSIONS IN A MIXED-MODE ENVIRONMENT".
>>
>> See Red Hat, Inc. Statement of Position and Our Promise on Software Patents:
>> http://www.redhat.com/legal/patent_policy.html
>>
>>
> I reject the below text as I do not want any IPR on anything in this informational document. 
> Olafur

Olafur and dnsop chairs,

would you be willing to accept the text below if Red Hat granted a license
similar to https://datatracker.ietf.org/ipr/1430/ ?
(I.e. the patent could be asserted only for defensive purposes.)

I'm asking because the text might be suitable for some other document
describing split-dns, so this question is still valid even if the text might
not be directly usable in draft-ietf-dnsop-dnssec-roadblock-avoidance.

Thank you for considering this as an option.

Petr Spacek @ Red Hat

>> The Hack
>> ========
>> Fundamental assumption:
>> Internal & external DNS view are both signed with the same keys or both
>> unsigned. This assumption allows the method to work without explicit
>> configuration on every client and removes dependency on reliable/secure
>> network-detection logic.
>>
>>
>> The main idea can re-phrased as amendment to section 5 of the draft:
>>
>>   The general fallback approach can be described by the following
>>   sequence:
>>
>>       If the resolver is labeled as "Validator" or "DNSSEC aware"
>>           Send query through this resolver and perform local
>>           validation on the results.
>>
>>           If validation fails, try the next resolver
>>
>>       Else if the resolver is labeled "Not a DNS Resolver" or
>>          "Non-DNSSEC capable"
>>           Mark it as unusable and try next resolver
>>
>> --- amended text begins here ---
>>
>>       Else if no more resolvers are configured and if direct queries
>>       are supported
>>          1. Try iterating from Root
>>
>>          2. If the answer is SECURE/BOGUS
>>            Return the result of iteration.
>>
>>          3. If the answer is INSECURE
>>            Re-query "Non-DNSSEC capable" servers and get answer
>>            from "Non-DNSSEC capable" servers.
>>            Set AD bit to 0 before returning the answer to client.
>>
>>       Else return a useful error code
>>
>>
>> This method covers DNS split-views with internal unsigned views pretty
>> nicely as long as the fundamental assumption holds. (Naturally it works only
>> for cases where fallback to iteration is possible.)
>>
>> We wanted to write Unbound module for this but it is harder than it seems.
>> (Proof-of-concept with stand-alone DNS proxy works fine, we have problem with
>> Unbound module architecture - not with the described method.)
>>
>> Feel free to incorporate the idea to the draft if you wish.
>>
>> -- 
>> Petr Spacek  @  Red Hat