IETF Logo Mail Archive

Re: [DNSOP] proposal: Covert in-band zone data

Joe Abley <jabley@hopcount.ca> Fri, 02 August 2019 20:31 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 903261207F3 for <dnsop@ietfa.amsl.com>; Fri, 2 Aug 2019 13:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDWkvO8f2P-e for <dnsop@ietfa.amsl.com>; Fri, 2 Aug 2019 13:31:26 -0700 (PDT)
Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29DF2120838 for <dnsop@ietf.org>; Fri, 2 Aug 2019 13:31:25 -0700 (PDT)
Received: by mail-io1-xd44.google.com with SMTP id h6so29727134iom.7 for <dnsop@ietf.org>; Fri, 02 Aug 2019 13:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=oo7NHwFiT2UxGsgtY02d3W5QnaSSRPFW9ExU5JZSLbQ=; b=eIgHTb/gwf/JSU1C3WrHTXevuN1ukA0XGNpOMiQC9bLsm6nd/1sFbcg0bVzRBJQTnF kNQYHTtzjy9DCUQcnEfpeOsnOlF91Hz0gneyTO6H1JazZwXSLkSzgHDWGgBZ50F71YB/ blmh6xpKqPmzZckqEIFOuUpZIGqpgUqk6c8sk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=oo7NHwFiT2UxGsgtY02d3W5QnaSSRPFW9ExU5JZSLbQ=; b=YL1NpoQTiolWrQIwCEJBW+2vbA39986j8zEGqBUBG4/eoSVfKjlu1x05qil3Cckt5T kfl58Q760Wt5djjbuLJtOFgb2kingklDwUNQMJ1G5Tbi5V69jdwsRnewH8VoZOWVvWTG 4xTZP4pivlgnEoazPjW+Wcg6MbJAsTwHEXKJiERjG42k15M+1gcvGi62UAhaBk+FUPvc /qQlsvBQkKHLe9hDbI9LFQlp/v/wThRdZhQhaqHmP6Hwf8xRTc35i96GCssgvaLDRzqz v2lwmUGVUHGr958doE3vL6hw4sEOCj+hjfHDTrajgilRHUUOiTuAoMK+/bosHK0KIaAN tChg==
X-Gm-Message-State: APjAAAVnEHZ+AlLq8LaW4o/XzgrzelnmJ/Kjvq5KKYbyb0yWQ3FydWKd cp4jnz4WeWOsc4x3IXcPlS4=
X-Google-Smtp-Source: APXvYqxs9MaKCD10VmKJUBa/EzRiuQc8GHSg8Oinkuh7U5cqJRsAFR7+PGZwweyzNwr4KvbSQQu8dg==
X-Received: by 2002:a6b:f910:: with SMTP id j16mr6129234iog.256.1564777884159; Fri, 02 Aug 2019 13:31:24 -0700 (PDT)
Received: from [192.168.1.50] (24-246-23-138.cable.teksavvy.com. [24.246.23.138]) by smtp.gmail.com with ESMTPSA id l5sm136336807ioq.83.2019.08.02.13.31.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Aug 2019 13:31:23 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <EE11FD7B-2396-4736-8497-59D301D093EB@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_4732B614-E834-4F24-8A6D-FAB7030397A5"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 02 Aug 2019 16:31:21 -0400
In-Reply-To: <CA+nkc8CxQ_sn36GKRGSAR5xthn0d2vEEGzpa==Y5__8Wg34Siw@mail.gmail.com>
Cc: Witold Krecicki <wpk@isc.org>, Paul Ebersman <list-dnsop@dragon.net>, dnsop <dnsop@ietf.org>
To: Bob Harold <rharolde@umich.edu>
References: <20190706213024.GA56650@isc.org> <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org> <CAN6NTqymm6+OMet0sMZC0Ms5E_5mj_nwONk3fR19HwgWXYNB4Q@mail.gmail.com> <alpine.LRH.2.21.1907251332070.10708@bofh.nohats.ca> <20190725183051.33DA315BFD9D@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907301916050.7062@bikeshed.isc.org> <20190730200859.A424215E6AD4@fafnir.remote.dragon.net> <alpine.BSF.2.21.9999.1907302009500.7062@bikeshed.isc.org> <20190730201628.1496015E6BFA@fafnir.remote.dragon.net> <2b2a0e4d-3720-b88c-6377-195117896e8f@isc.org> <20190802143247.A9E251601056@fafnir.remote.dragon.net> <91c0669e-66b5-05d6-d788-59aea804a13e@isc.org> <3CBF15C5-8378-45B5-BF25-ACB014A2788D@hopcount.ca> <0eb7b1db-33d8-f776-02f6-2e4a722b96b1@isc.org> <B3880E2C-5EE4-4B7F-A591-B76DC8CC9C10@hopcount.ca> <CA+nkc8CxQ_sn36GKRGSAR5xthn0d2vEEGzpa==Y5__8Wg34Siw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yaIqsq3n8IRT3PFAma7V3cwqNzQ>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 20:31:33 -0000

On 2 Aug 2019, at 15:30, Bob Harold <rharolde@umich.edu> wrote:

> I just had what might be a crazy idea.
> What if the covert data was encrypted, and could be transferred normally, but only someone with the key could read it?
> It could then be put in a new record or in TXT records.
> Requires a tool (script) to read/write it, but no changes to the DNS servers.
> Does that make any sense?

To my eye (such as it is) Olafur is on the right track with this. This is a provisioning problem, not a DNS problem.

I think it makes more sense to consider the zone as just one parameter in a DNS workload; other parameters like master servers, zone-specific configuration, NOTIFY lists, etc are additional parameters. Together they make up a blob of DNS provisioning workload. I think the ability to include RRSet metadata (comments, change history, authorisation, data provenance, whatever) in such a blob is most simply a further deconstruction of the "zone" member of that blob.

I do see the benefits of standardising DNS provisioning in general. I would love to be able to have a standard mechanism to add a blob such as that imagined above to an anycast cloud of authoritative DNS servers, for example, instead of having to jump through provider-specific flaming hoops of tickets and APIs.


Joe

v2.23.0 | Report a Bug | By Email