Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

神明達哉 <> Mon, 09 January 2017 21:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5AC61295D8 for <>; Mon, 9 Jan 2017 13:23:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bCcaAV4G9blc for <>; Mon, 9 Jan 2017 13:23:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8A8A51294E4 for <>; Mon, 9 Jan 2017 13:23:43 -0800 (PST)
Received: by with SMTP id x49so82329920qtc.2 for <>; Mon, 09 Jan 2017 13:23:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=nDoqb3xsEcXudsFfGH6fCX0JUgMtrLW1iWJBPoR37xk=; b=flTinwX0uZrUPbp+wFoE5KD1sEiXPOXh/hKDPed9oVUG0bZKH3++/Xj1nPE0edNz1G XWZHZSbz8hvZnR+4N1BE5evyPa+kuZ5nLxIv+hnPZitnNBLf/04zEK9uBqN5hq917CSi 45R9D5+UUs+6blCBoeFcJCxv2XXV13nOzzlppS79afgoIEr3e0E7HI608zBlZVlsqAo9 WtwfeTHrvPSz+s/tXZQiXjSna3uo5jC4XsFXo0u14PHCbMluEPanZslcVrOpfekXuTlM 9OtP8gUlQFROuX8WStGozraksDM1ApODffWEgAtcv9dmvHxidm09X9JzimWjMDaiQ9VD 1Zug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=nDoqb3xsEcXudsFfGH6fCX0JUgMtrLW1iWJBPoR37xk=; b=iK1Bf81KtB4CTrvtyaTz07dhDP9wpCxLy2ok8psx8ysh7/iDwZH+0rr2rN4eFRNIA4 iMI/tlvIR2c9WoSs090nGRtG8s/QeBQkarNmYEdrcAH6mQ4HOUCOccaArl/1EF5kmHL7 IbI6B5wt+mYa+FBcL8nGxX73dT5lrOG29Hd1L1lPfc9bOR0VwcElgJpNIm0I8GeqrT3y k4hSOFdjXt1isnZguNWExNNLsq04vSNluJZ/r9XtQAx8CXGgqHeldFgPUEKL9IoSisyO BqH3aYLZhbBBVZzx9SdW7D3iLKTwOzLGgXvByXwt2dHjO4tBVgJgR7HdAImipKcdUJbI ub2A==
X-Gm-Message-State: AIkVDXL5snhvnfb25onDN++vXNMpV8+4PJxZaUrWBF0tZxepmOB6/odcqCtL5AhP3BnnDv8rQB0ivzPDs7XOHQ==
X-Received: by with SMTP id o28mr12579007qto.269.1483997022557; Mon, 09 Jan 2017 13:23:42 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 9 Jan 2017 13:23:41 -0800 (PST)
In-Reply-To: <>
References: <>
From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <>
Date: Mon, 9 Jan 2017 13:23:41 -0800
X-Google-Sender-Auth: SZ6t-xrV5SXPNFKHBaKxVNH-vic
Message-ID: <>
To: tjw ietf <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: dnsop <>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jan 2017 21:23:46 -0000

On Tue, Dec 20, 2016 at 7:16 AM, tjw ietf <> wrote:

> The draft is being present as "Informational", and the point here is to
> document current working behavior in the DNS (for the past several years).
> It is obvious that some feel this draft is a large mistake, but like
> edns-client-subnet, more operators are deploying this than one is aware of.
> This starts a Call for Adoption for draft-vixie-dns-rpz
> The draft is available here:
> Please review this draft to see if you think it is suitable for adoption by
> DNSOP, and comments to the list, clearly stating your view.

I'm still reading the 04 version of draft-vixie-dns-rpz and intending
to make comments on it later, but I'd like to respond to the call
first: I do not think it's suitable for dnsop to adopt the draft in
its current form, with the intent of "just describing currently
deployed practice", and (as I guess) with the intent of eventually
publishing as an (Informational) RFC.

But I think the document itself is very useful, so it would be nice if
it's made more publicly available in other form, e.g., some
white-paper kind or at a popular blog site.  If the adoption means
polishing the document for that goal (although I don't think it's the
intent for this call), I'd support it.

Also, if we're really willing to work on a "standard, interoperable
DNS firewall specification" without worrying about substantially
changing the current practice/implementation, and if the adoption
means the first step for that goal (and so the final publication could
be totally different and may not be compatible with the existing
standard), then I'd support it.  But, again, I suspect that's not the
intent of this call.

Some more specific rationale for this opinion below:

- As I believe most people, and perhaps including the draft authors or
  RPZ implementations, agree, it's an ugly hack to use the standard
  DNS zone to represent the firewall rules.  It might have been a
  convenient way to implement the idea initially (e.g, we can use the
  zone transfer behavior to distribute the rules), but I don't see an
  essential reason why these are represented as DNS RRs.  And, (again
  as I believe everyone knows) it's not just ugly but also has some
  inherent flaws, such as that not all domain names can be represented
  due to length limitation.  In fact, not all existing implementations
  of RPZ-like feature use this form as the primary way of rule
  configuration (unbound is one example I happen to know of, and from
  a quick look knot resolver also seems to adopt its own configuration
  syntax).  Perhaps operators of these implementations use some
  conversion tools form the "standard" RPZ policies to its internal
  form, but that's obviously inconvenient.  Standardizing the spec
  more officially eventually leads to unified configuration (at least
  in concept) to eliminate the need for such a tool, but it would
  require changes to other existing implementations anyway.  Then it
  would be far better to develop a better form of policy
  representation from the beginning.

- If this is to be published as an IETF standard (even if
  "informational") and especially as a product of the dnsop wg, I
  believe it should contain more DNSSEC-related considerations.  The
  current situation is either
  + validly DNSSEC-signed responses bypass RPZ policies (when
    'break-dnssec' is set to no), or
  + 'break-dnssec' is enabled, and it would currently confuse
    validating stub resolvers
  As long as this wg hopes to see more such stub resolvers deployed
  (I'm assuming so), any of its protocol work should IMO help such
  deployment rather than hinder it.

- I know the above points are about to be dismissed with "these are
  out of scope of this doc; it just describes what is currently
  deployed".  And that's exactly another big concern of mine,
  especially because I heard the adoption of this draft would be
  similar to that of edns-client-subnet.  At that time several wg
  participants including myself raised unclear or ambiguous points of
  the spec, some of which were based on attempts of implementing it.
  Sadly, though, many of them were effectively silenced with the
  excuse of "not in scope".  Another excuse at that time was that
  there would be another standard truck doc to fix these issues, but,
  as quite predictably, people seem to have lost interest/energy once
  the RFC was published and there doesn't seem to be any attempt of
  revising the spec.  I've already sensed the same thing could happen
  for draft-vixie-dns-rpz from the adoption discussions on this list,
  and I don't like to see it actually happen.  To be clear, "really
  just describing what is currently deployed" is fine for me.  But my
  lesson from edns-client-subnet it can't well coexist with the intent
  of having more interoperable implementations.  If the intent is
  purely former, then it's better to publish it somewhere else; if our
  intent is to promote interoperability starting with the spec and
  lessons of existing deployment, we should be willing to change the
  current spec.

JINMEI, Tatuya