[RPZ] RPZ vs. bogus DNS
vjs at rhyolite.com
vjs at rhyolite.com
Sat Jul 16 00:51:22 UTC 2011
What should happen if bad data is encountered while checking for
NSIP or NSDNAME RPZ rewriting?
A single tainted NS IP address or domain among all of the RRsets for
a domain and its parents taints (rewrites) the domain. For example,
given a query about evil.sub.domain.tld and
domain.tld. NS ns.domain.tld.
ns.domain.tld. A 10.1.2.3
and either of these RPZ rules:
ns.domain.tld.rpz-nsdname CNAME wgarden.example.com
32.3.2.1.10.rpz-nsip CNAME wgarden.example.com
would give an answer to the original query of
evil.sub.domain.tld CNAME wgarden.example.com
My question concerns what should happen in that example if there
were another NS record for domain.tld that is bad in any of the
many ways that bogusity can happen, including a name that cannot be
resolved into an A or AAAA record.
In other words, should a bogus authority taint or force RPZ rewriting?
When bogusity is innocent, it would be good that a single bad record
or crazed DNS server is ignored for RPZ rewriting. Maybe not when
the bogusity is malign.
That conflict implies that no a single answer would make all RPZ users
happy. So I'm wondering a rule or RRsets for rpz-nsip should match
the missing IP address? As in
rpz-nsip CNAME wgarden.example.com
If too few would use that rule because of the the false positives,
then the answer is no.
I think this is unrelated to lame delegations and to the (re)validating
discussed in http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00
A single bad authority among valid authorities does not normally invalidate
a domain.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list