[RPZ] RPZ behavior in the presence of DNSSEC signatures and DO=1 queries

Tue Jan 3 00:09:59 UTC 2012

On Mon, Jan 02, 2012 at 11:53:07PM +0000, Vernon Schryver wrote:
> > From: Bill Owens <owens at nysernet.org>
> 
> > A little while ago I wrote a blog article making a skeptical comparison
> > between RPZ and PROTECT-IP. Paul Vixie commented on it, offering two
> > points about the differences between them - the very real difference
> > that one is voluntary and the other mandatory, which I completely agree
> > with, and a statement that "RPZ stands aside whenever it sees a
> > DNSSEC-aware client trying to access DNSSEC-signed data".
> 
> "Stands asside" is not quite right and should not be.  What good
> would a security mechanism be if it were disabled when clients ask
> for more security?

That's exactly the point I was expecting to make in my yet-to-be-finished article. RPZ, having been written by people who actually understand DNS, would naturally not interfere with DNSSEC. In that way it is distinguished from PROTECT-IP and SOPA (and now the new French decree). But that also means RPZ is a short-term fix, because the deployment of DNSSEC is accelerating (we hope), and once enough hosts are sending DO=1 queries, the bad guys will only have to sign their zones in order to evade RPZ blocking.

> What happens with RPZ filtering of DNSSEC-signed data is that RPZ
> rewritten results fail DNSSEC validation.  A DNSSEC checking DNS client
> will get no real or DNSEC validated answers, including NOERROR or
> NXDOMAIN.  DNS clients including browsers subject to RPZ filtering are
> informed via DNSSEC that RPZ filtering has happened.  Try it with a
> browser that checks DNSSEC, such as Firefox+DNSSEC Validator.

I tried it with dig, and that was enough to convince me ;)

> Contrast that with PROTECT-IP.  Never mind the gibberish of PROTECT-IP
> advocates.  They simply could not get a noticable number of nonauthoritative
> DNS servers to do anything about their forbidden DNS names; they'd
> have to change recource records in the DNS registeries.  Bogus RRs can
> be as easily signed with secret police keys as honest RRs can be signed
> with the owner's keys.  With PROTECT-IP, you won't be able tell whether
> the NSEC or NSEC3 validating NXDOMAIN or the DNSSEC validating A or
> AAAA records have been sanitized.

I believe that 'they' can already get US-based registries to change names; the problem is with registries outside the jurisdiction of existing laws. Their answer is of course to push on things that are within US jurisdiction, like resolvers at US ISPs, credit card processors, etc. If you can make a domain name disappear, or redirect to a splash page indicating that it's been seized, that's certainly the easiest way (and not at all incompatible with DNSSEC - just remove the DS record while you're at it). 

Bill.