From songlinjian at gmail.com Thu Dec 21 02:15:05 2017 From: songlinjian at gmail.com (Davey Song) Date: Thu, 21 Dec 2017 10:15:05 +0800 Subject: [DNSfirewalls] RPZ Trigger on answer section Message-ID: Hi folks, I recently received a issue which I would like to use RPZ to resolve , but I'm not sure RPZ fits this situation. I put this in following txt. It's appriciated if anyone can give me some clue on this. * Background A lots websites using CDN to replicate their content and make it close to their users. It's a common tool to promote their users' experience. However, when it comes to updating website to support IPv6, there is a mismatch between websites and their CDNs. There is a case that some advanced websites update their DNS and Web servers to support IPv6. But most of CDNS (or their long-term CDNs) are not ready for IPv6, which means these CDNs' authoritative server has not answer to AAAA query. Once there is a cname in the zone, there is no room for AAAA to be added into the domain of that website. It is a dilemma for website operators to choose, either postpone their IPv6 plan or give up using CDNs. Note: choosing another IPv6 enabled CDN is out of the scope of this draft. * The proposal The intuitive idea to this problem is to hack the website's DNS system to break cname context and add a AAAA to that zone. It is expected to response a IPv6 address to AAAA type query. A lighter approach is to put a proxy or dnsdist in front of the authoritative server to respond as it is desired. A more nature way is to harness the existing RPZ(Response Policy Zone) to accommodate the requirement base on the local policy. The local policy is that if the response return only a cname to AAAA type query, the server should response with a configured AAAA record. * Issues using RPZ (my personal experience) By searching the RPZ configuration rules, there is only a trigger: IP Trigger which operates on the answer section to an A/AAAA query. But that trigger is perform exactly on the IPv4/IPv6 address contained as a answer of a DNS response. There is no trigger in RPZ reacting perfectly according to the proposal. Best regards, Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at redbarn.org Sat Dec 23 18:12:10 2017 From: paul at redbarn.org (Paul Vixie) Date: Sat, 23 Dec 2017 10:12:10 -0800 Subject: [DNSfirewalls] RPZ Trigger on answer section In-Reply-To: References: Message-ID: <5A3E9C7A.9090509@redbarn.org> Davey Song wrote: > ... > * The proposal > > The intuitive idea to this problem is to hack the website's DNS system > to break cname context and add a AAAA to that zone. It is expected to > response a IPv6 address to AAAA type query. > > A lighter approach is to put a proxy or dnsdist in front of the > authoritative server to respond as it is desired. > > A more nature way is to harness the existing RPZ(Response Policy Zone) > to accommodate the requirement base on the local policy. The local > policy is that if the response return only a cname to AAAA type query, > the server should response with a configured AAAA record. RPZ is not able to act on two or more attributes of a response, only one. None of the relevant attributes will be the QTYPE of the query or any of the RRTYPEs of the answer. so, as it is today, RPZ cannot help you with your problem. > * Issues using RPZ (my personal experience) > > By searching the RPZ configuration rules, there is only a trigger: IP > Trigger which operates on the answer section to an A/AAAA query. But > that trigger is perform exactly on the IPv4/IPv6 address contained as a > answer of a DNS response. There is no trigger in RPZ reacting perfectly > according to the proposal. i think you mean that of the five available triggers, only one is related in any way to an IP address. however, your word "exactly" is not correct. RPZ triggers can be based on IP prefixes (which means, IP4 or IP6 prefixes) of any length. to specify a host, a full (32 bit or 128 bit) prefix is provided, to specify a network or a group of networks, a shorter prefix (less than 32 bits, or less than 128 bits) is specified. you are correct that there is no trigger in RPZ that does what you need. moreover, there may not be anything in DNS that does what you need. the CNAME returned in the CDN IP4 case will be cached, and your authority server will not receive subsequent queries about any RRset for that alias (CNAME owner). so, even if you use dnsdist, or hand-write your own DNS server, it's not clear that you could ever win. -- P Vixie From songlinjian at gmail.com Mon Dec 25 02:07:06 2017 From: songlinjian at gmail.com (Davey Song) Date: Mon, 25 Dec 2017 10:07:06 +0800 Subject: [DNSfirewalls] RPZ Trigger on answer section In-Reply-To: <5A3E9C7A.9090509@redbarn.org> References: <5A3E9C7A.9090509@redbarn.org> Message-ID: On 24 December 2017 at 02:12, Paul Vixie wrote: > > > RPZ is not able to act on two or more attributes of a response, only one. > None of the relevant attributes will be the QTYPE of the query or any of > the RRTYPEs of the answer. so, as it is today, RPZ cannot help you with > your problem. > Yes, I see that. you are correct that there is no trigger in RPZ that does what you need. > moreover, there may not be anything in DNS that does what you need. the > CNAME returned in the CDN IP4 case will be cached, and your authority > server will not receive subsequent queries about any RRset for that alias > (CNAME owner). so, even if you use dnsdist, or hand-write your own DNS > server, it's not clear that you could ever win. I think even if A records is cached (from cname server), the AAAA query will still sent to the authority server. No AAAA in the cache. Davey. -------------- next part -------------- An HTML attachment was scrubbed... URL: