[DNSfirewalls] Fwd: New Version Notification for draft-vixie-dns-rpz-01.txt

Anne Bennett anne at encs.concordia.ca
Mon Oct 24 23:13:28 UTC 2016

I wrote:

> I'm re-reading the entire draft to try to understand this idea of
> precedence of matches versus "familiar scheme" lookups, and to see if
> there's any text I could suggest to make it easier for the first-time
> reader to understand it.  This re-reading is bringing up more comments
> and questions, which I'll send separately.

Section 2:

  express policy triggers or characteristics of DNS response that
  require action


  express policy triggers, which are characteristics of a DNS query
  or response, that require action.

  To "All POLICY described here...", prepend:

  The format of RPZs has undergone several revisions since work began
  (see section 7).

Section 7:

  To the paragraph that ends in "required continuing support of
  the original encodings", add a few brief sentences summarizing
  the formats, e.g.:

    The initial specification ("format 1") contained only [list the
    triggers and actions].  Format 2, issued [date], added/modified
    [list the changes].  Format 3 ([date]) added/modified [list the

Section 3:

  for research into attackers and debugging
  for research into attackers and for debugging

    The PASSTHRU action [...] overrides lower precedence policies

  This mention of precedence seems out of the blue, and it's not
  clear at this point in the document what might be meant by "lower
  precedence policies".

  Do you mean that PASSTHRU is usually intended to override other
  policies, so the writer of the policies needs to make sure
  to place the PASSTHRU at a higher precedence level?  If it's
  the case not that PASSTHRU itself is special (IIRC, nowhere
  else does the "action" part of a policy figure in the
  determination of precedence), but rather that the PASSTHRU
  should be written such that it sorts at a higher precedence than
  the record it overrides, I'd suggest replacing that sentence with:

    The PASSTHRU action is intended to override other (usually
    more general) policies, so it should be written such that
    it appears at a higher precedence than the policies it must
    override; see Section XXX for precedence rules.

  because the CNAME target name will not be the root (.),
  root wildcard (*.), or be a subdomain of a top level domain
  that starts with "rpz-".


  because the CNAME target name will not be the root (.),
  nor the root wildcard (*.), nor be a subdomain of a top
  level domain that starts with "rpz-".

Section 4:

  (change first two paragraphs to:)

    There are five types of RPZ triggers, and they are encoded
    by RRset owner names in an RPZ.

    Two of the types of policy trigger are based on
    characteristics of the DNS query: QNAME, and Client
    IP address.  They are independent of cache contents or
    recursion results.

    The other three types of triggers are based on target data
    (RDATA): they are Response IP address, NSDNAME, and NSIP.
    Those policies are conceptually applied after recursion,
    so that the recursive DNS resolver's cache contains
    either nothing or "truth", even if this truth is hidden by
    current policy.  If the policy changes, the original data
    is available for processing under the changed policy.

  Also, I'd change the order of the list of triggers to have the two
  query-based ones come before the three response-based ones, so:

    Client IP address
    IP address

  I think that explicitly making the distinction between
  query-based and response-based triggers will help us later
  with the precedence rules.

Section 5:

  I think that this section contains these basic categories
  of information, which should perhaps be re-ordered a bit
  and placed in subsections:

    5.1 Loading the zones
        Paragraphs 1, 5, and 6

    5.2 Using the zones
        Paragraphs 7, 9 (the last one, after the precedence material)

    5.3 Authority of modified responses
        Paragraph 4

    5.4 Applying the policies
        Paragraphs 2, 3, a new paragraph to cover the order
        of operations (in particular, when "familiar DNS scheme"
        applies (with wildcards), and when precedence rules must
        be invoked), plus part of paragraph 8.

    5.5 Precedence of policies
        The precedence material starting at "RPZ ordering".

  My feeling is that if we re-order and categorize this way, it
  should make it more possible to untangle the confusion (or at
  least, *my* confusion!) with respect to the order of queries, 
  and the application of the precedence rules.  What do you think?

Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285

More information about the DNSfirewalls mailing list