IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt

Paul Vixie <paul@redbarn.org> Wed, 17 March 2021 07:22 UTC

Return-Path: <vixie@redbarn.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2D13A0163 for <add@ietfa.amsl.com>; Wed, 17 Mar 2021 00:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVQipytKOvIp for <add@ietfa.amsl.com>; Wed, 17 Mar 2021 00:21:59 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89383A011D for <add@ietf.org>; Wed, 17 Mar 2021 00:21:58 -0700 (PDT)
Received: by family.redbarn.org (Postfix, from userid 716) id 2FA547599B; Wed, 17 Mar 2021 07:21:56 +0000 (UTC)
Date: Wed, 17 Mar 2021 07:21:56 +0000
From: Paul Vixie <paul@redbarn.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Eric Rescorla <ekr@rtfm.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Message-ID: <20210317072156.gz3da4xxisqx7p7r@family.redbarn.org>
References: <1c618bd9-e039-2dac-80f3-1f11b7b44bc4@cs.tcd.ie> <9486D9AE-047B-4046-AB8A-74E8AB0D83B5@nohats.ca> <20210315021312.ng5xgq23kkohvsgb@family.redbarn.org> <1191373191.33078.1615799543805@appsuite-gw1.open-xchange.com> <CAHbrMsDuks_CekecsONR2USBk+TCyDy3xzdndbak2p8gsJnReQ@mail.gmail.com> <CABcZeBM7qGgt7UfN-6mJa0NHizfGsEKgzaEmkLgYkY=C2gJHgQ@mail.gmail.com> <20210317025801.rx5lehqy53xwwdn5@family.redbarn.org> <337a90e4-3ef7-0532-8429-ad0b587c30ec@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <337a90e4-3ef7-0532-8429-ad0b587c30ec@cs.tcd.ie>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/V2GFTdZMMKMuTOYWn5ZHzgoKv8s>
Subject: Re: [Add] [EXTERNAL] Re: New Version Notification for draft-reddy-add-enterprise-split-dns-01.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Mar 2021 07:22:03 -0000

On Wed, Mar 17, 2021 at 03:27:29AM +0000, Stephen Farrell wrote:
> 
> Hiya,
> 
> A question (*)...
> 
> On 17/03/2021 02:58, Paul Vixie wrote:
> > generally speaking, ...
> 
> Don't you think that ossification due to often not-often
> updated middleboxes has an effect on interoperability? I
> thought that was a more-or-less accepted proposition, but
> perhaps it's not.

it is. but not all continuity is ossification. sometimes things work the
way they should, or at least work the way people who making informed choices
have deliberately chosen. (even if that "way" happens to have continuity.)

> ISTM if one does accept an "aged middlebox breaks things"
> argument, then "interference by on-path actors" is clearly
> one of the barriers to interoperability we face.

it sometimes is, but sometimes is not. consider for example a firewall, by
which a network administrator might qualify as an on-path interferer. that
certainly breaks some stuff, but it's not a form of non-interoperability --
it's a form of policy. and if the firewall operator has obligations to the
server operators or to the end users which obligations do require that
policy, then i think their policies should not be trivially dismissed.

DoH as an example deliberately and intentionally prohibits firewalls from
restricting or obstructing off-network RDNS. it says so on page 1 of the
RFC -- they don't try to hide it. those of us figuring out how to cope
with a world where firewalls are deliberately and intentionally prohibited
by IETF protocol standards action may ask for some new signaling to support
our (continuing) obligations.

> (At the same time, I do not claim all interference by on-path actors
> is "bad" - there are some benefits to firewalls, even if those also
> often become brittle, e.g. due to out-dated configs.)

thanks for this. to me the foundational principle is that networks have
"policy autonomy" and if operators screw things up, they have themselves
to blame and their employees, customers, or families can blame them also.
to be clear, this means there is no "but", no exception whereby well
meaning software suppliers or internet protocol designers can say "yes,
it's your network, but we can't allow you to set policy for it."

however, i lost that argument, so now i'm just trying to limit the damage,
which is why i'm asking for a policy signal path whereby any device which
does not obey the local network's policy can be presumed hostile to that
policy -- ignorance won't be an excuse. i've already removed all mozilla
corporation software from my networks on the basis of their DoH theatrics,
but there will be others who don't believe that on my network, my rules
actually matter.

> (*) To be honest, mine is maybe as loaded a question as if I'd described
> things as "full-throated" or wondered about flying pigs etc. But FWIW, I
> don't mind a bit of rhetoric at all:-)

thanks for this, too. i don't aim for outlandishness; it simply finds me.

-- 
Paul Vixie

v2.23.0 | Report a Bug | By Email