[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-01.txt

Anne Bennett anne at encs.concordia.ca
Mon Oct 24 22:20:54 UTC 2016 

Vernon,

>> I don't think I'd copy the entire RFC 4034 text (it's rather
>> long), but since it's necessary to refer to that sort order,
>> then since RFC 4034 doesn't define "smaller", we might have
>> to resort to "the one that comes last" in that sort order.
> 
> So you prefer replacing "smaller" and "larger" with something about
> "earlier" and "later in the DNSSEC canonical order"?  And similarly
> for "smallest" and "largest"?

Yes, something like that.

> To me "early" sounds fuzzy and a little informal.  

If RFC 4034 section 6 used terms such as "smaller" and "larger" I'd
have no issue, but the only language I can find in that section is:

  - "example" sorts first, followed by names ending in "a.example"
  - the absence of an octet sorts before a zero octet

So we have first (last), and before (after).  The best match I can
think of to that language is earlier/later, but perhaps someone else
has an idea for something better.  I don't think that "smaller/larger"
is clear in this context, or at least, it wasn't to me.

>> That is, while a query or a client IP address is a single
>> entity, it can match multiple policies.  But for the other
>> three trigger types, we can have multiple responses, each of
>> which could in turn match multiple triggers.
> 
> That's the purpose of the precedence rules.  Given the set of of
> all rules that triggered by a DSN response, consistently pick one.

All rules triggered by a DNS *response*, okay.  I think that here:

> I agree that there should be text somewhare saying that the fundamental
> trigger lookup scheme is the familiar DNS matching scheme including
> the odd but unavoidable oddities of zone wildcards.  That is why
> rules are usually doubled, as in having both example.com and
> *.example.com to catch both example.com and any child of example.com.

... you're pointing out that during a lookup, the familiar DNS
matching scheme scheme applies, but when a lookup results in
multiple answers that themselves require further lookups, then
those answers are sorted in DNSSEC canonical order, and processing
continues on them (depth first?) until a match occurs.

I'm re-reading the entire draft to try to understand this idea of
precedence of matches versus "familiar scheme" lookups, and to see if
there's any text I could suggest to make it easier for the first-time
reader to understand it.  This re-reading is bringing up more comments
and questions, which I'll send separately.

Meanwhile, I want to keep track of your answer to my example; I'll
come back and work through it again once I've finished my re-reading.
The rest is just a quote of the example; you can stop reading here.

>> Say we had these policies (all in the same RPZ), which I show
>> in Canonical DNS Name Order):
>>
>>         *.dom.ain.rpz-nsdname   CNAME walled-garden-a.example.net.
>>   ns4.aaa.dom.ain.rpz-nsdname   CNAME walled-garden-b.example.net.
>>     *.bbb.dom.ain.rpz-nsdname   CNAME walled-garden-c.example.net.
>>   ns3.bbb.dom.ain.rpz-nsdname   CNAME walled-garden-d.example.net.
>>
>> and we queried for the A record for "bad.example.com", where
>> "example.com" had NS records "ns1.example.com", "ns2.dom.ain",
>> "ns3.bbb.dom.ain", and "ns4.aaa.dom.ain".  In this case,
>> three of the four NS records match policy rules, and at least
>> one of them matches two policy rules (possibly two of them,
>> *see below).  Here I show the actual NS records (responses)
>> in Canonical DNS Name Order, then each group of matches itself
>> in Canonical DNS Name Order:
>>
>>   ns4.aaa.dom.ain      matches *.dom.ain.rpz-nsdname (?)
>>   ns4.aaa.dom.ain  and matches ns4.aaa.dom.ain.rpz-nsdname
>>
>>   ns3.bbb.dom.ain      matches *.dom.ain.rpz-nsdname (?)
>>   ns3.bbb.dom.ain  and matches *.bbb.dom.ain.rpz-nsdname
>>   ns3.bbb.dom.ain  and matches ns3.bbb.dom.ain.rpz-nsdname
>>
>>       ns2.dom.ain      matches *.dom.ain.rpz-nsdname
>>
>>   ns1.example.com   no match
>>
>> So the last match among the responses is "ns2.dom.ain", but
>> the last match match among the triggers is "ns3.bbb.dom.ain";
>> which should take precedence?
> 
> In normal DNS matching, wildcards are ignored when there is a
> specific match, and so the first 3 wildcard triggers are implicitly
> excluded while ns4.aaa.dom.ain and ns3.bbb.dom.ain are being sought
> in the policy zone database.
> 
> The DNSSEC canonical order puts
>  ns4.aaa.dom.ain < ns3.bbb.dom.ain < ns2.dom.ain 
>  ain.dom.aaa.ns4 < ain.dom.bbb.ns3 < ain.dom.ns2 
>  ain.dom.aaa     < ain.dom.bbb     < ain.dom.ns2 
> and so the winning rule is trigger by ns4.aaa.dom.ain

Anne.
-- 
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285

More information about the DNSfirewalls mailing list