Re: [DNSOP] Filtering and DNSSEC
Paul Vixie <paul@redbarn.org> Thu, 25 November 2021 17:25 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08483A0C2D; Thu, 25 Nov 2021 09:25:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NwgRDp70hAXe; Thu, 25 Nov 2021 09:25:50 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ECF03A0CFF; Thu, 25 Nov 2021 09:25:39 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id 3317E1B2462; Thu, 25 Nov 2021 17:25:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1637861137; bh=JpeLEhvqy4HmJrEKW2mT7vGQ0u28pyfrLvzqhkyjsJU=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=bqeNeJUvMWq8l0gyWLUAz71Cgt1+ppa1AHTQ/QP8blRv4pDUWOx/AKgDJ0Dq6CxV+ KjGpxgJr4Y45lBsjGg330WlHLhEqW/LR/nOUNKtxqC9PHgZTDFZLmMLDNTFvcw3nNA 1Gk2R5XZqQ7cf+5U7x1mgHd6sen7Cop8Wfj0hA/E=
Received: from [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace] (unknown [IPv6:2001:559:8000:c9:f065:c89a:99f4:2ace]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id EC6267597E; Thu, 25 Nov 2021 17:25:36 +0000 (UTC)
To: DNSOP WG <dnsop@ietf.org>
Cc: draft-wing-dnsop-structured-dns-error-page@ietf.org
References: <4dc9b976-cc1c-d0a6-0352-06db19e42068@nic.cz> <D9B13846-F7B3-4402-9363-8E8036F0E4B2@nohats.ca>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <34afe362-24b9-789e-ff25-22882f689ef7@redbarn.org>
Date: Thu, 25 Nov 2021 09:25:37 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.52
MIME-Version: 1.0
In-Reply-To: <D9B13846-F7B3-4402-9363-8E8036F0E4B2@nohats.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yL0yOwBGbzTxjKtjFjxWKXcym2U>
Subject: Re: [DNSOP] Filtering and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2021 17:25:54 -0000
SERVFAIL is often taken as a signal to try other servers for the delegation point or some other recursive server. when recursive server policy has trampled an answer, it is meant to be about the data, not the server. so SERVFAIL is both operationally and syntactically wrong here. as an example, DNS RPZ will be default pass through any DNSSEC-signed response, but it can be overridden with an option called "break dnssec" or similar. neither passing it through or breaking the signatures is desirable, but we kicked that can down the road. in the years since DNS RPZ was made, i've realized that authoritarian network operators including authoritarian national governments are not well served by DNS RPZ in its current form. what we (and they) need is a way to include the original answer and also a server-level signature on the policy-trampled answer. this way we (and they) can watch what the stub does next -- which answer it consumes -- and therefore know whether the policy (or the law) is being abrogated, so as to trigger an enforcement action. probably this just means packing the original answer and the policy signature into EDNS in some way. but the response itself will have to have the policy-trampled answer and rcode (likely NXDOMAIN but not always.) vixie
- [DNSOP] updated to draft-wing-dnsop-structured-dn… Dan Wing
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Vittorio Bertola
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Stephane Bortzmeyer
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Stephane Bortzmeyer
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Ben Schwartz
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Petr Špaček
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Eric Orth
- Re: [DNSOP] updated to draft-wing-dnsop-structure… tirumal reddy
- Re: [DNSOP] updated to draft-wing-dnsop-structure… tirumal reddy
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Neil Cook
- Re: [DNSOP] updated to draft-wing-dnsop-structure… Eric Orth
- Re: [DNSOP] Filtering and DNSSEC Paul Wouters
- Re: [DNSOP] Filtering and DNSSEC Vladimír Čunát
- Re: [DNSOP] Filtering and DNSSEC Paul Vixie
- Re: [DNSOP] Filtering and DNSSEC Paul Wouters
- Re: [DNSOP] Filtering and DNSSEC Paul Vixie