Vladimír Čunát wrote:
Hi.
On 10/06/2017 05:00 PM, Vernon Schryver wrote:
If you will include hooks for an RPZ implementation in your shipped
code as opposed to modified source in a 'contrib' directory that
users must compile specially, I'd be happy to try to propose such
hooks. In other words, I could try to make a patch for Knot Resolver
like the patch that I wrote for Unbound (without cost to NLnet Labs).
If you prefer, you could write the code.
The current very limited implementation of RPZ in knot-resolver [1] is
done via a couple dozen lines of lua code, i.e. only JIT-compiled. The
approach might remain similar, perhaps a bit more modularized, but in
any case I expect it would be included by default, so I wouldn't fear
about users having to recompile.
let me clarify. there is an rpz implementation for bind9 and unbound
which is mostly outside the server itself. so, it's a duplication of
effort for bind9, which has its own internal implementation of rpz, but
it's new functionality for unbound, which does not have rpz built in.
this rpz implementation consists of a daemon, a command line tool, a
shared library, and a shared memory (mmap'd file) segment. the api for
the shared library is meant to be not just name server implementation
(thus, it works on bind9 and unbound), but also policy implementation
(thus, it could work for a policy system other than rpz, though we've
not tested it.)
the implementation we have (farsight security) is not open source, but,
the API is entirely unencumbered. thus, someone other than us could
implement a shared library and associated software that spoke to this
API and could be dynamically loaded by bind9, unbound, and any other
impementation of that API.
patches to make knot-recursive speak this API are what vernon offered.
those patches, like the API it speaks to, are entirely unencumbered, and
would therefore be compatible with your license. in fact the patches to
make knot-recursive speak to this API would be donated to you and would
become your property and would have only your license.
farsight's implementation of this API is called fastrpz. we don't give
it away to the whole community; only to people who operate passive dns
sensors for SIE. we fully expect to see fully open source competitors
for our implementation of this API from other members of the community
in the fullness of time.
the API now has a name, the response policy service (RPS).
please contact vernon directly if you'd be willing to accept a donation
of patches to make knot-resolver able to call the RPS API, and thus,
able to dynamically load any shared library that implements the RPS API.
please contact me directly if any of you would be willing to operate a
passive DNS sensor for SIE, in exchange for a right-to-use license for
the fastrpz implementation of the RPS API, or perhaps data trades &etc.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
