[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-01.txt
anne at encs.concordia.ca
Mon Oct 24 22:20:54 UTC 2016
>> I don't think I'd copy the entire RFC 4034 text (it's rather
>> long), but since it's necessary to refer to that sort order,
>> then since RFC 4034 doesn't define "smaller", we might have
>> to resort to "the one that comes last" in that sort order.
> So you prefer replacing "smaller" and "larger" with something about
> "earlier" and "later in the DNSSEC canonical order"? And similarly
> for "smallest" and "largest"?
Yes, something like that.
> To me "early" sounds fuzzy and a little informal.
If RFC 4034 section 6 used terms such as "smaller" and "larger" I'd
have no issue, but the only language I can find in that section is:
- "example" sorts first, followed by names ending in "a.example"
- the absence of an octet sorts before a zero octet
So we have first (last), and before (after). The best match I can
think of to that language is earlier/later, but perhaps someone else
has an idea for something better. I don't think that "smaller/larger"
is clear in this context, or at least, it wasn't to me.
>> That is, while a query or a client IP address is a single
>> entity, it can match multiple policies. But for the other
>> three trigger types, we can have multiple responses, each of
>> which could in turn match multiple triggers.
> That's the purpose of the precedence rules. Given the set of of
> all rules that triggered by a DSN response, consistently pick one.
All rules triggered by a DNS *response*, okay. I think that here:
> I agree that there should be text somewhare saying that the fundamental
> trigger lookup scheme is the familiar DNS matching scheme including
> the odd but unavoidable oddities of zone wildcards. That is why
> rules are usually doubled, as in having both example.com and
> *.example.com to catch both example.com and any child of example.com.
... you're pointing out that during a lookup, the familiar DNS
matching scheme scheme applies, but when a lookup results in
multiple answers that themselves require further lookups, then
those answers are sorted in DNSSEC canonical order, and processing
continues on them (depth first?) until a match occurs.
I'm re-reading the entire draft to try to understand this idea of
precedence of matches versus "familiar scheme" lookups, and to see if
there's any text I could suggest to make it easier for the first-time
reader to understand it. This re-reading is bringing up more comments
and questions, which I'll send separately.
Meanwhile, I want to keep track of your answer to my example; I'll
come back and work through it again once I've finished my re-reading.
The rest is just a quote of the example; you can stop reading here.
>> Say we had these policies (all in the same RPZ), which I show
>> in Canonical DNS Name Order):
>> *.dom.ain.rpz-nsdname CNAME walled-garden-a.example.net.
>> ns4.aaa.dom.ain.rpz-nsdname CNAME walled-garden-b.example.net.
>> *.bbb.dom.ain.rpz-nsdname CNAME walled-garden-c.example.net.
>> ns3.bbb.dom.ain.rpz-nsdname CNAME walled-garden-d.example.net.
>> and we queried for the A record for "bad.example.com", where
>> "example.com" had NS records "ns1.example.com", "ns2.dom.ain",
>> "ns3.bbb.dom.ain", and "ns4.aaa.dom.ain". In this case,
>> three of the four NS records match policy rules, and at least
>> one of them matches two policy rules (possibly two of them,
>> *see below). Here I show the actual NS records (responses)
>> in Canonical DNS Name Order, then each group of matches itself
>> in Canonical DNS Name Order:
>> ns4.aaa.dom.ain matches *.dom.ain.rpz-nsdname (?)
>> ns4.aaa.dom.ain and matches ns4.aaa.dom.ain.rpz-nsdname
>> ns3.bbb.dom.ain matches *.dom.ain.rpz-nsdname (?)
>> ns3.bbb.dom.ain and matches *.bbb.dom.ain.rpz-nsdname
>> ns3.bbb.dom.ain and matches ns3.bbb.dom.ain.rpz-nsdname
>> ns2.dom.ain matches *.dom.ain.rpz-nsdname
>> ns1.example.com no match
>> So the last match among the responses is "ns2.dom.ain", but
>> the last match match among the triggers is "ns3.bbb.dom.ain";
>> which should take precedence?
> In normal DNS matching, wildcards are ignored when there is a
> specific match, and so the first 3 wildcard triggers are implicitly
> excluded while ns4.aaa.dom.ain and ns3.bbb.dom.ain are being sought
> in the policy zone database.
> The DNSSEC canonical order puts
> ns4.aaa.dom.ain < ns3.bbb.dom.ain < ns2.dom.ain
> ain.dom.aaa.ns4 < ain.dom.bbb.ns3 < ain.dom.ns2
> ain.dom.aaa < ain.dom.bbb < ain.dom.ns2
> and so the winning rule is trigger by ns4.aaa.dom.ain
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
More information about the DNSfirewalls