[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-01.txt

Vernon Schryver vjs at rhyolite.com
Fri Oct 21 17:14:49 UTC 2016 

> To: dnsfirewalls at lists.redbarn.org
> From: Anne Bennett <anne at encs.concordia.ca>

> Typo: overriden -> overridden

thanks.

> I still find the "Name Length" section confusing.  I looked at
> section 6.1 of RFC 4034, which defines a "canonical ordering",
> but doesn't use the terminology "smaller" or "bigger".  Also,
> I don't think that "a label that is a prefix of a second label"
> correctly expresses what I'm pretty sure is meant.  For example,
> "x.y" is a prefix of "x.y.z", and I'm sure that we *don't*
> mean to compare those, but rather we want to compare "x.y.z"
> and "y.z", neither of which "is a prefix of" the other, but
> one of which results from adding a prefix to the other.
>
> So I'd like to propose something like:
>
>   [...] choose the policy that matches the most specific
>   domain name.  For example, "x.y.z" is more specific than "y.z".

I tried to say something shorter and less formal than section 6.1
of RFC 4034, but that DNSSEC "Canonical DNS Name Order" is what is
going on.  Would it be better say no more than "DNSSEC canonical
name order; see section 6.1 of RFC 4034"?  Or copy the RFC 4034 text?

> Having proposed the above, though, I have two questions:
>
>   - Should "BLAH.y.z" not be considered more specific (and
>     a better match) than the wildcard "*.y.z", regardless of
>     whether the asterisk sorts lexicographically before or after
>     "BLAH"?

Those trigger precedence rules were less about specificity than
making the rpz results well defined in the mathematical sense
or deterministic in the computer science sense.

The domain names from the triggering requests instead of the triggers
themselve are what are being ordered.  There are no wildcards in
request QNAMEs or among relevant NS domains.

>   - Are there any other cases where names of equal specificity
>     could both match a QNAME or NSDNAME policy?  If not, we
>     could avoid the complexity of referring to and summarizing
>     the canonical sort order at all.

There is only one qname (in each CNAME resolution iteration),
and so there can't be 2 domain names matching a single QNAME rule.
However, there are usually many NS names and the choice among them
must be deterministic for a constant set of NS domain names.
(The set of NS domain names for a target domain name are not constant,
especially for the sort of requests that rpz should rewrite).


vjs

More information about the DNSfirewalls mailing list