Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
神明達哉 <jinmei@wide.ad.jp> Mon, 09 January 2017 21:23 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5AC61295D8 for <dnsop@ietfa.amsl.com>; Mon, 9 Jan 2017 13:23:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCcaAV4G9blc for <dnsop@ietfa.amsl.com>; Mon, 9 Jan 2017 13:23:43 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A8A51294E4 for <dnsop@ietf.org>; Mon, 9 Jan 2017 13:23:43 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id x49so82329920qtc.2 for <dnsop@ietf.org>; Mon, 09 Jan 2017 13:23:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=nDoqb3xsEcXudsFfGH6fCX0JUgMtrLW1iWJBPoR37xk=; b=flTinwX0uZrUPbp+wFoE5KD1sEiXPOXh/hKDPed9oVUG0bZKH3++/Xj1nPE0edNz1G XWZHZSbz8hvZnR+4N1BE5evyPa+kuZ5nLxIv+hnPZitnNBLf/04zEK9uBqN5hq917CSi 45R9D5+UUs+6blCBoeFcJCxv2XXV13nOzzlppS79afgoIEr3e0E7HI608zBlZVlsqAo9 WtwfeTHrvPSz+s/tXZQiXjSna3uo5jC4XsFXo0u14PHCbMluEPanZslcVrOpfekXuTlM 9OtP8gUlQFROuX8WStGozraksDM1ApODffWEgAtcv9dmvHxidm09X9JzimWjMDaiQ9VD 1Zug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=nDoqb3xsEcXudsFfGH6fCX0JUgMtrLW1iWJBPoR37xk=; b=iK1Bf81KtB4CTrvtyaTz07dhDP9wpCxLy2ok8psx8ysh7/iDwZH+0rr2rN4eFRNIA4 iMI/tlvIR2c9WoSs090nGRtG8s/QeBQkarNmYEdrcAH6mQ4HOUCOccaArl/1EF5kmHL7 IbI6B5wt+mYa+FBcL8nGxX73dT5lrOG29Hd1L1lPfc9bOR0VwcElgJpNIm0I8GeqrT3y k4hSOFdjXt1isnZguNWExNNLsq04vSNluJZ/r9XtQAx8CXGgqHeldFgPUEKL9IoSisyO BqH3aYLZhbBBVZzx9SdW7D3iLKTwOzLGgXvByXwt2dHjO4tBVgJgR7HdAImipKcdUJbI ub2A==
X-Gm-Message-State: AIkVDXL5snhvnfb25onDN++vXNMpV8+4PJxZaUrWBF0tZxepmOB6/odcqCtL5AhP3BnnDv8rQB0ivzPDs7XOHQ==
X-Received: by 10.200.34.28 with SMTP id o28mr12579007qto.269.1483997022557; Mon, 09 Jan 2017 13:23:42 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.29 with HTTP; Mon, 9 Jan 2017 13:23:41 -0800 (PST)
In-Reply-To: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com>
References: <CADyWQ+ETSd199ok0fgh=PB=--hW7buPgSoCg22aK51Bk4xxBmw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Mon, 09 Jan 2017 13:23:41 -0800
X-Google-Sender-Auth: SZ6t-xrV5SXPNFKHBaKxVNH-vic
Message-ID: <CAJE_bqdpOcGbE8sU92MyJdR2-oH5apT4HXmtApODz4Nap2vw1w@mail.gmail.com>
To: tjw ietf <tjw.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xB7TDKBHmsJYZ5wmxdQ_jgHI-1w>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 21:23:46 -0000
On Tue, Dec 20, 2016 at 7:16 AM, tjw ietf <tjw.ietf@gmail.com> wrote: > The draft is being present as "Informational", and the point here is to > document current working behavior in the DNS (for the past several years). > It is obvious that some feel this draft is a large mistake, but like > edns-client-subnet, more operators are deploying this than one is aware of. > > This starts a Call for Adoption for draft-vixie-dns-rpz > > The draft is available here: > https://datatracker.ietf.org/doc/draft-vixie-dns-rpz/ > > Please review this draft to see if you think it is suitable for adoption by > DNSOP, and comments to the list, clearly stating your view. I'm still reading the 04 version of draft-vixie-dns-rpz and intending to make comments on it later, but I'd like to respond to the call first: I do not think it's suitable for dnsop to adopt the draft in its current form, with the intent of "just describing currently deployed practice", and (as I guess) with the intent of eventually publishing as an (Informational) RFC. But I think the document itself is very useful, so it would be nice if it's made more publicly available in other form, e.g., some white-paper kind or at a popular blog site. If the adoption means polishing the document for that goal (although I don't think it's the intent for this call), I'd support it. Also, if we're really willing to work on a "standard, interoperable DNS firewall specification" without worrying about substantially changing the current practice/implementation, and if the adoption means the first step for that goal (and so the final publication could be totally different and may not be compatible with the existing standard), then I'd support it. But, again, I suspect that's not the intent of this call. Some more specific rationale for this opinion below: - As I believe most people, and perhaps including the draft authors or RPZ implementations, agree, it's an ugly hack to use the standard DNS zone to represent the firewall rules. It might have been a convenient way to implement the idea initially (e.g, we can use the zone transfer behavior to distribute the rules), but I don't see an essential reason why these are represented as DNS RRs. And, (again as I believe everyone knows) it's not just ugly but also has some inherent flaws, such as that not all domain names can be represented due to length limitation. In fact, not all existing implementations of RPZ-like feature use this form as the primary way of rule configuration (unbound is one example I happen to know of, and from a quick look knot resolver also seems to adopt its own configuration syntax). Perhaps operators of these implementations use some conversion tools form the "standard" RPZ policies to its internal form, but that's obviously inconvenient. Standardizing the spec more officially eventually leads to unified configuration (at least in concept) to eliminate the need for such a tool, but it would require changes to other existing implementations anyway. Then it would be far better to develop a better form of policy representation from the beginning. - If this is to be published as an IETF standard (even if "informational") and especially as a product of the dnsop wg, I believe it should contain more DNSSEC-related considerations. The current situation is either + validly DNSSEC-signed responses bypass RPZ policies (when 'break-dnssec' is set to no), or + 'break-dnssec' is enabled, and it would currently confuse validating stub resolvers As long as this wg hopes to see more such stub resolvers deployed (I'm assuming so), any of its protocol work should IMO help such deployment rather than hinder it. - I know the above points are about to be dismissed with "these are out of scope of this doc; it just describes what is currently deployed". And that's exactly another big concern of mine, especially because I heard the adoption of this draft would be similar to that of edns-client-subnet. At that time several wg participants including myself raised unclear or ambiguous points of the spec, some of which were based on attempts of implementing it. Sadly, though, many of them were effectively silenced with the excuse of "not in scope". Another excuse at that time was that there would be another standard truck doc to fix these issues, but, as quite predictably, people seem to have lost interest/energy once the RFC was published and there doesn't seem to be any attempt of revising the spec. I've already sensed the same thing could happen for draft-vixie-dns-rpz from the adoption discussions on this list, and I don't like to see it actually happen. To be clear, "really just describing what is currently deployed" is fine for me. But my lesson from edns-client-subnet it can't well coexist with the intent of having more interoperable implementations. If the intent is purely former, then it's better to publish it somewhere else; if our intent is to promote interoperability starting with the spec and lessons of existing deployment, we should be willing to change the current spec. -- JINMEI, Tatuya
- [DNSOP] DNSOP Call for Adoption draft-vixie-dns-r… tjw ietf
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Suzanne Woolf
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ray Bellis
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Jim Reid
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Matthew Pounsett
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Allan Liska
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ray Bellis
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Tim Wicinski
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ray Bellis
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… bert hubert
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ray Bellis
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ralf Weber
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… bert hubert
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… bert hubert
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… william manning
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- [DNSOP] Role of informational RFCs Re: DNSOP Call… Suzanne Woolf
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… sthaug
- Re: [DNSOP] Role of informational RFCs Re: DNSOP … Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… sthaug
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Matthew Pounsett
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Matthew Pounsett
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Matthew Pounsett
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Viktor Dukhovni
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Robert Edmonds
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Nolan Berry
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Stephane Bortzmeyer
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Stephane Bortzmeyer
- Re: [DNSOP] Role of informational RFCs Re: DNSOP … Stephane Bortzmeyer
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ralf Weber
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Patrik Wallstrom
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… John Levine
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Donald Eastlake
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Scott Schmit
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… John Levine
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Richard Clayton
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Scott Schmit
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… John Levine
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… william manning
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… joel jaeggli
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Viktor Dukhovni
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Mukund Sivaraman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Tony Finch
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… william manning
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Barry Raveendran Greene
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Scott Schmit
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Avri Doria
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Barry Raveendran Greene
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ted Lemon
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Philip Homburg
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… 神明達哉
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Viktor Dukhovni
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Philip Homburg
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ralf Weber
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Rich Kulawiec
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… tjw ietf
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Warren Kumari
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… joel jaeggli
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… william manning
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Ray Bellis
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Andrew Sullivan
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Suzanne Woolf
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Mukund Sivaraman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Wouters
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Paul Hoffman
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Petr Špaček
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Barry Raveendran Greene
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Viktor Dukhovni
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Melinda Shore
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Dave Crocker
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Doug Barton
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Mark Andrews
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Barry Raveendran Greene
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver
- Re: [DNSOP] DNSOP Call for Adoption draft-vixie-d… Vernon Schryver