IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Vernon Schryver <vjs@rhyolite.com> Thu, 17 August 2017 03:44 UTC

Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56BFE1241F5 for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 20:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5sy0P6plSnG for <dnsop@ietfa.amsl.com>; Wed, 16 Aug 2017 20:44:08 -0700 (PDT)
Received: from calcite.rhyolite.com (calcite-v6.rhyolite.com [IPv6:2001:470:4b:581::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BC0413208E for <dnsop@ietf.org>; Wed, 16 Aug 2017 20:44:08 -0700 (PDT)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id v7H3ht28051809 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Thu, 17 Aug 2017 03:43:55 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id v7H3htQn051808 for dnsop@ietf.org; Thu, 17 Aug 2017 03:43:55 GMT
Date: Thu, 17 Aug 2017 03:43:55 +0000
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201708170343.v7H3htQn051808@calcite.rhyolite.com>
To: dnsop@ietf.org
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zuWtytOFBYXQYCg8Rvfl_bivw90>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 03:44:10 -0000

> From: Paul Vixie <paul@redbarn.org>

> > A network that routes requests to 8.8.8.8 to inject DNS lies will also
> > arrange to ignore or pervert any DNS-in-band tell-the-truth signaling.
> > Without access to a trustworthy resolver, tell-the-truth signaling is
> > useless because you can't trust it.
> 
> i would like to be able to know that i can't trust it, rather than
> merely assuming that i can't trust it, as happens today. if neither the
> truth nor the lie is signed, i can make a red light blink, or even go
> offline, refusing the local edition of the social compact ("if you want
> to use the internet you have to accept dns answers w/o provenance.")

By "signed" I guess you mean signed by the resolver itself with some
sort of public key (perhaps DLV, double dnssec, one of the other secure
DNS schemes, or something new) or with TSIG using a symmetric key
previously shared with the resolver.  (Having the stub verify DNSSEC
to validate the truth and turn off the red light would make the stub
a lot like a verifying resolver.)

If so, I agree that works,

but I still don't see how that is as good as two dig's with one to
a resolver trusted to give the truth.

Whenever that in-band DNS truth red light *might* blink, you'll want
a trusted resolver available so that when the light does blink your
application gets honest DNS truth or honest RPZ lies.  But with that
trusted verifying resolver you can use 2 digs and don't need the
protocol or implementation costs of inband RPZ truth and you needn't
to surmount principled IETF opposition to sanctioning RPZ.

Principled objections to RPZ cannot be answered by RPZbis including
truth with lies.  That is because an application must consistently
choose either truth or possible RPZ lies.  Choosing RPZ lies for
security and privacy defenses makes including the truth in RPZbis
answers a sham and waste of bandwidth.  On the other hand, an application
choosing truth makes the RPZ lies a waste of bandwidth.

Which gets back yet again to the only place I think RPZ belongs, which
is in a verifying resolver that you trust to do only the RPZ lying
that you want (and so where you don't need that red light except when
debugging).  All other uses of RPZ should be considered attacks on
your security and privacy.  (I think that's a short form of the agreed
words that I'm waiting to be told to add to the draft.)


Vernon Schryver    vjs@rhyolite.com

v2.23.0 | Report a Bug | By Email