On Tue, 2005-03-08 at 09:35 -0800, Mark Baugher wrote:
On Mar 8, 2005, at 8:27 AM, Douglas Otis wrote:
On Tue, 2005-03-08 at 07:04 -0800, Mark Baugher wrote:
On Mar 5, 2005, at 8:10 AM, Andrew Newton wrote:
...
I was discussing the making and revoking of reputation assertions. At
least that's what I wanted to discuss. I think you're talking about
revoking account keys.
The revocation records signal the rejection of revocation-identifiers
within the signature (content). Currently deployed reputation services
use nearly identical signaling for remote IP addresses reject by
returning an A record (127.0.0.1/8).
Are you convinced that currently deployed black list services will meet
mail-signing requirements?
This is a bit vague. The blacklist strategy will work to provide a
revocation mechanism for an embedded revocation-identifier. There are
mitigations to reduce a potential resulting load for both senders and
receivers. One, this is made optional for smaller, stable and
relatively secure domains. Two, using long lived HELO authentication
records can eliminate a revocation query in most cases. Even without
these mitigations, it still should be practical to provision the
additional needed resources.
By ensuring all sub-domains of a domain with a bad reputation also
report a bad reputation, then when the HELO is within the Signature
domain, just a reputation check on the HELO would be required. This
would provide the needed DoS protections and remove the need to also
perform a subsequent revocation record check.
A black-hole listing service can provide global domain based reputations
for both the HELO and the Signature domains. For larger domains, it is
more economical to transfer the database in bulk when the data is
relatively stable. That is becoming less true however.
There is a good reason why a record is not returned when reputation
is good. It is desired that the recipient make no-records results
TTLs short (negative caching) to indicate acceptance, but at their
discretion, to adjust their network and cache loads.
When using a record to be an indication of acceptance, to then allow
rapid revocation, the A records would need to have relatively short
TTLs. Some positive reputation services do this by using 0 TTL.
Is a "positive reputation service" an accreditation service?
Well yes, an accreditation service. I should also note that the TTL on
the negative cache may be determined by the lesser of the SOA TTL and
SOA MINIMUM field in some cases. This field has under gone three
definitions where the negative cache TTL may be receiver implementation
dependent. I should also note that some versions of Bind may not use 0
TTL correctly either.
About 25% of the IP space is excluded with a bad reputation, and the
database for asserting a bad reputation is still smaller than a
good. (This information still needs to be propagated.) The domain
name space is a bit different. It looks to be a closer split of
good and bad, no doubt driven by a need to evade filtering. It
still seems to be a better choice to have a record express a bad
reputation, however.
Is it the consensus of DNS experts that this is good or safe for the
DNS? I wonder about that because I don't believe that the DNS can
safely incorporate features for any application on the Internet.
Paul Vixie and Dave Rand developed the initial email reputation service
at MAPS using the DNS mechanism described. This mechanism is used
widely by most MTA receivers to screen incoming connections. Many query
several such services. Without this service, most MTA receivers would
become unusable, where this service is now an element of DoS protection.
I'm speculating, and the following opinion is an entirely personal one:
Once we get beyond anti-forgery, the DNS does not seem to me to be a
good place for any sort of reputation service. A domain might have a
very good reputation for some applications and a very bad reputation
for others, for example.
The principle factor that decides reputation is whether OPT-IN is used
for bulk messages and whether subscriptions are authenticated. OPT-OUT
does not provide a practical basis for judging behavior, especially when
people should not be asked is to reply to spam. OPT-IN can be
established as an acceptance policy.
Agreed. Looking at how the number of queries can be reduced is an
important aspect of meeting these requirements. There are examples
that indicate DNS style query techniques scale to reporting on
billions of entities. (Not easily, but well beyond the entire domain
name space.) A reputation service is still at a larger scale than
the revocation-identifier query would ever be. The
revocation-identifier is also distributed whereas a reputation query
would be for all domains.
What if we screw up? How would this affect the global DNS?
Good question. A major vendor is considering widely deploying an
alternative that risks creating poisoning exploits, ignores UDP
exponential back-off with higher DNS traffic, without meeting a goal of
actually authenticating. I see MASS as an alternative that is much more
conservative and safe and actually accomplishes a goal.
There are some ideas how reputation services can be better implemented,
but this will require a development process. For now, using DNS seems
like a good starting point that should be able to meet immediate needs
of a new mechanism.
Would it also be a good starting point for telephony reputation? What
about for IM reputation? Etc.?
If bad behavior is punished across all forms of communication, it would
increase the value of maintaining a good reputation. Aggregating
reputation could provide a binary answer, expanded to include the types
of communications, as well as their AS and Registrar ratings to quell an
exploding name space.
-Doug