IETF Logo Mail Archive

Re: [DNSOP] Brian Haberman's No Record on draft-ietf-dnsop-root-loopback-04: (with COMMENT)

Brian Haberman <brian@innovationslab.net> Wed, 30 September 2015 15:26 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73FCD1B5EAF; Wed, 30 Sep 2015 08:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yAvNGKV4OzU9; Wed, 30 Sep 2015 08:26:24 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 245651B5EAE; Wed, 30 Sep 2015 08:26:24 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 01C4488157; Wed, 30 Sep 2015 08:26:24 -0700 (PDT)
Received: from clemson.jhuapl.edu (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id C284C328081A; Wed, 30 Sep 2015 08:26:22 -0700 (PDT)
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <20150930135306.9641.25056.idtracker@ietfa.amsl.com> <0021A0B0-DEA4-4492-8484-E47819117472@vpnc.org> <560BFBF0.6030001@innovationslab.net> <DDBEB203-5DD9-4AA3-BC32-CBD4D51BD243@vpnc.org>
From: Brian Haberman <brian@innovationslab.net>
Message-ID: <560BFF18.3080100@innovationslab.net>
Date: Wed, 30 Sep 2015 11:26:16 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <DDBEB203-5DD9-4AA3-BC32-CBD4D51BD243@vpnc.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="LHgQiewj30DuU8l966J0i6tIIHHauumsH"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7haOf6lJvvtsxLHJaTPeUspZPGc>
Cc: tjw.ietf@gmail.com, draft-ietf-dnsop-root-loopback@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-root-loopback.ad@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dnsop-root-loopback.shepherd@ietf.org
Subject: Re: [DNSOP] Brian Haberman's No Record on draft-ietf-dnsop-root-loopback-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 15:26:25 -0000

Hi Paul,

On 9/30/15 11:18 AM, Paul Hoffman wrote:
> On 30 Sep 2015, at 8:12, Brian Haberman wrote:
> 
>>>> ----------------------------------------------------------------------
>>>> COMMENT:
>>>> ----------------------------------------------------------------------
>>>>
>>>> I can't decide if I should ballot Yes because this document does a good
>>>> job of describing how to deploy this approach or Abstain because the
>>>> fragility introduced in this approach appears to be untenable.
>>>>
>>>> In the meantime, can someone explain why this document is stating a
>>>> requirement to deploy this approach with IPv4 only?
>>>
>>> Yes. Given that this is running on loopback, it doesn't matter if the
>>> service is running on either the v4 or v6 loopback address. Unless a
>>> system running this service has absolutely no v4 at all (it doesn't even
>>> need to be offering v4 service to customers), the v4 loopback address is
>>> sufficient.
>>>
>>> There seems to be wide disagreement about what is the v6 loopback
>>> address: some of these addresses exist on some v6 systems but not
>>> others, or so we were told. If there is a v6 loopback address that is
>>> universally deployed (as 127/8 is for v4), we can add it, although it
>>> won't actually make this more deployable.
>>>
>>> --Paul Hoffman
>>
>> I am not sure how much clearer the definition of IPv6 loopback could be
>> (https://tools.ietf.org/html/rfc4291#section-2.5.3).  Of course, if it
>> is an implementation issue, there is not much the IETF can do.
>>
>> Thanks for the quick response.
> 
> If the WG agrees that 0:0:0:0:0:0:0:1 is always present, we can
> certainly add that to the document. I now cannot find any on-list
> mention of why this isn't useful in all v6-capable systems, so it might
> have been a hallway conversation.


It seems like the WG can cover both address families by simply making
these changes:

OLD:

   o  The system MUST be able to run an authoritative server on one of
      the IPv4 loopback addresses (that is, an address in the range
      127/8).

NEW:

   o  The system MUST be able to run an authoritative server on one of
      the loopback addresses (that is, an address in the range
      127/8 for IPv4 or ::1 in IPv6).

OLD:

   2.  Start the authoritative server with the root zone on a loopback
       address that is not in use.  This would typically be 127.0.0.1,
       but if that address is in use, any address in 127/8 is
       acceptable.

NEW:

   2.  Start the authoritative server with the root zone on a loopback
       address.  This would typically be 127.0.0.1 in IPv4 or ::1 in
       IPv6.

Why does the document say that the address should not be in use?

Brian

v2.23.0 | Report a Bug | By Email