IETF Logo Mail Archive

Re: [dnsext] Re: need new flag bit in EDNS, "do me no favours" (DMNF)

Phillip Hallam-Baker <hallam@gmail.com> Tue, 26 October 2010 03:18 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C4B903A6840; Mon, 25 Oct 2010 20:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.235
X-Spam-Level:
X-Spam-Status: No, score=-2.235 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_RMML_Stock10=0.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PaZDlMK8YHCX; Mon, 25 Oct 2010 20:18:48 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B3FF83A67A8; Mon, 25 Oct 2010 20:18:47 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PAa0J-000HjY-Fy for namedroppers-data0@psg.com; Tue, 26 Oct 2010 03:15:15 +0000
Received: from mail-yx0-f180.google.com ([209.85.213.180]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <hallam@gmail.com>) id 1PAa0E-000Hj8-Ks for namedroppers@ops.ietf.org; Tue, 26 Oct 2010 03:15:10 +0000
Received: by yxk30 with SMTP id 30so3217327yxk.11 for <namedroppers@ops.ietf.org>; Mon, 25 Oct 2010 20:15:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=jIxOlSEmdU03mXqCE43/SnnlVjvqZ3HEffOm2a2t+VE=; b=Wae/GXk/LPP/hK9UvTCzoSD0+kEsx2aHDdgro+ulvk4DipLwkaOXNO2RSIEsVVsJ6B Y3BlWIZn6Nwwl38V5MnyFAOq0HkDfYT1RfiKnTVFcRWE1VX3mYoe+UxcwQ256NrHwU+7 75RNncVnPI6EbRYG4Szf2ut4tFUD1IY/FZRyU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=di1dk8Y2FtA4SRQuMwxpehTfZeGVY/kfqUgxtQZnbtEG3l1EFgtgmSLATmwgrjAm9p Evr3nMQL9L0+OoduRCGLdgAU9epnHtmtDc10s5PC8SoX+Y6V8+BLS/zrgk8VBz29fYGl SXihVSZUQIitNThuV5rJlGnMLczdrpqhclAXs=
MIME-Version: 1.0
Received: by 10.100.168.4 with SMTP id q4mr6234817ane.255.1288062908642; Mon, 25 Oct 2010 20:15:08 -0700 (PDT)
Received: by 10.100.41.14 with HTTP; Mon, 25 Oct 2010 20:15:08 -0700 (PDT)
In-Reply-To: <72674.1288058394@nsa.vix.com>
References: <59023.1287939121@nsa.vix.com> <20101025094523.GA5187@nic.fr> <41281.1288025835@nsa.vix.com> <20101025233215.4A495606495@drugs.dv.isc.org> <72674.1288058394@nsa.vix.com>
Date: Mon, 25 Oct 2010 23:15:08 -0400
Message-ID: <AANLkTimUQPHE+VOS16xOULChM6Cd1LX9XOCyboiAn9k2@mail.gmail.com>
Subject: Re: [dnsext] Re: need new flag bit in EDNS, "do me no favours" (DMNF)
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Paul Vixie <vixie@isc.org>
Cc: namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001485f647461e369004937c8454"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I think you are creating an evil bit.

Or to be precise, a please do not be evil bit.

We have the means to allow the user to enforce their preferences in this
respect, that seems a more useful approach to me.


On Mon, Oct 25, 2010 at 9:59 PM, Paul Vixie <vixie@isc.org> wrote:

> updated informal proposal contained herein.  if you +1'd before, or -1'd,
> or
> are still on the fence, this is worth reading and potentially commenting
> on.
>
> > From: Mark Andrews <marka@isc.org>
> > Date: Tue, 26 Oct 2010 10:32:15 +1100
> >
> > > opt-in would have been the better design choice had events not
> > > overtaken us.  opt-out, if it's explicit and in-band, is a carve-out.
> > > those of us who know that we never want "web error redirection" should
> > > be able to express this in unambiguous terms, so that ISP's and ASP's
> > > who perform "web error redirection" can be held to account for their
> > > conscious and deliberate choice of whether to honour our expressed
> > > preferences or not.  that's what we can actually still accomplish,
> > > while we wait for end-to-end DNSSEC that will drive nails into the lid
> > > of the coffin containing "web error redirection" and similar practices.
> >
> > But we still can't be sure that they won't adapt to the presence
> > of such marked queries especially if we can get buy-in from a couple
> > of brower vendors along with something to help the proxies to decided
> > when they should should do the same thing.
>
> that's out of scope -- and would take more than five years to agree about.
>
> > Why don't we do both at once?  There is a range of address modifications
> > out there.  none, dns64, dns46[1], filter-aaaa, "bad" site, nxdomain.  A
> > query may want some or all of these to be performed even in the presence
> > of DO or CD.  Only the querier really knows what is acceptable.
> > ...
> > [1] Give me a IPv4 address if the site doesn't have a IPv4 address
> > but has a IPv6 address.  It's the complement of dns64.
>
> as long as it's clear that we're not changing the q-tuple between recursive
> and authoritative, i'm fine with unlimited complexity in stub-to-recursive
> (that is, RD=1) options.
>
> > I can see web browers setting dns64 (vendor), bad site (user control) and
> > nxdomain (user control).
>
> so it sounds like we need a new edns option blob which is a variable length
> mask (so, right now it would be one octet long), which would only be
> defined
> for RD=1.  the first bit of the first octet would be "no web error
> redirect"
> (NWED).  the name of the option would be "do me no favours" (DMNF).
>
> this way we a rdns can be sure that the user has expressed no preferences
> if
> there is no DMNF option at all, but that if the option is present, then
> every
> bit therein is absolutely meaningful.  so, DMNF present means "user is
> aware
> of the issues and is expressing a preference", in which case NWED=1 means
> the
> user doesn't want web error redirection whereas NWED=0 means they do want
> it.
> (note, we are expressing these as negatives, to ensure that rdns operators
> know that the default (zero) is in favour of the potentially unwanted
> practice.
>
> there would be no ambiguity here, since someone who doesn't care at all can
> just never add the DMNF option on anything, whereas someone who cares about
> anything has to be explicit about every negative preference they could
> potentially have.
>
> i'm willing to write this up in this form, even given that i've missed the
> -00 deadline for beijing (where i will not be present, by the way), and
> i'll
> be happy to add any other preference bits if (1) they are only meaningful
> for
> RD=1, (2) they do not affect the recursive-to-authoritative q-tuple at all,
> (3) they can be expressed in a single binary digit ("bit"), and (4) there
> is
> a simple unambigious one-paragraph english text that explains the meaning.
>
> am i on the wrong track according to those (three) who have +1'd this so
> far?
>
> is anyone else +1 for this approach (willing to review, etc)?
>
>


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email