Re: [DNSOP] New Version Notification for draft-adpkja-dnsop-special-names-problem-00.txt

"Patrik Fältström " <paf@frobbit.se> Wed, 25 November 2015 05:40 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E7931B29F1 for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 21:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.836
X-Spam-Level:
X-Spam-Status: No, score=-1.836 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-iahy4vsrrf for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 21:40:11 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D183E1B29F3 for <dnsop@ietf.org>; Tue, 24 Nov 2015 21:40:10 -0800 (PST)
Received: from [10.43.7.39] (static-212-247-252-109.cust.tele2.se [212.247.252.109]) by mail.frobbit.se (Postfix) with ESMTPSA id 37301204C7; Wed, 25 Nov 2015 06:40:08 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: Joe Abley <jabley@hopcount.ca>
Date: Wed, 25 Nov 2015 06:40:05 +0100
Message-ID: <EB6AB6D0-8808-49C2-90DE-F4E6E146BDE8@frobbit.se>
In-Reply-To: <68818B75-F6F6-44A1-BAF5-BB68B7BD86F6@hopcount.ca>
References: <20151019232608.9713.92337.idtracker@ietfa.amsl.com> <68818B75-F6F6-44A1-BAF5-BB68B7BD86F6@hopcount.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_A9D92D2B-7747-40BC-9F60-592972520B49_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5184)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/AV2r_ZRtAxmtXkNvihqTFsdKJL4>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-adpkja-dnsop-special-names-problem-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 05:40:13 -0000

Hi,

I have read this draft and have a number of comments. I can not say these are the only ones, but at least some :-)

   The dominant protocol for name resolution on the Internet is the
   Domain Name System (DNS).  However, other protocols exist that are
   fundamentally different from the DNS, but which have syntactically-
   similar namespaces.

I claim that if it is syntactically similar and the names are used interchangeable in protocols (see below) we actually DO talk about use of the same namespace. This is the camel in the tent, and I think we should just admit, or say clearly whether we do talk about, which I think we do, one name space with multiple resolution mechanisms.

   When an end-user triggers resolution of a name on a system which
   supports multiple, different protocols for name resolution, it is
   desirable that the protocol to be used is unambiguous, and that
   requests intended for one protocol are not inadvertently addressed
   using another.

It is not so much different protocols as different resolution mechanisms. If you say "protocol" here, it might sounds like if with the DNS protocol you can not use multiple different resolution mechanisms (which I think one can -- one of them using the root managed by ICANN).

   Such usage, which a few commenters have referred to as "protocol
   switching," is not limited to "protocol switch" in the strict sense
   of indicating specific protocols on the wire.  It could indicate to
   switch to another name space (eg .onion), use a different protocol
   (eg tor, or mdns), or indicate to use a local DNS scope by not using
   the DNS root for name resolution (eg .home in homenet) or something
   else altogether.

It is important (which I think also Stephane indicated) that we talk about different resolution mechanisms for the name itself. We do not talk about how to access the service in question.

   At the time of writing, three top-level domain names reserved by
   inclusion in the Registry are used by name resolution protocols other
   than the DNS:

      LOCALHOST is used to refer to the host on which the name
      resolution takes place, without reference to the DNS;

      LOCAL is used by the Multicast DNS protocol specified in [RFC6762]
      which is similar in some respects to the DNS, but which uses
      different well-known port number and is limited to a particular
      multicast scope;

      ONION is used to construct names that designate anonymous hidden
      services reachable via the Tor network using onion routing.

I think a better text to describe ONION would be:

      ONION is used to construct names that designate
      services reachable via the Tor network using onion routing.

What about EXAMPLE?

   The lack of a more elegant way to specify a
   name resolution protocol in (for example) a URI amounts to an
   architectural oversight.

Well...in the architecture we have both the URI scheme and if you look further the URN definition to manage all different kind of switches. And we do not have to wake up the old discussion again whether HTTP://EXAMPLE.COM/ in reality should be URI:HTTP://EXAMPLE.COM/

I think the key issue here is that the different "strings" that look like "domain names" (i.e. are within the same name space) are used interchangeable wherever in the URI (or even URN) definition where "domain names" are to be used.

   If we accept the notion that the most significant label of a domain
   name is actually a protocol switch, it implies that we are actually
   building a catalog of all top level domains that explain which are
   are switches.

What about not-yet-allocated strings in this catalog?

I think it is important to say that as of today (at least), the default resolution mechanism is to use the DNS, although a non-existing string today imply one apply the search path algorithm to chase down names.

   In the case of [I-
   D.ietf-dnsop-onion-tld], leakage of ONION queries on the Internet
   might lead to disclosure of private information that, in some cases,
   might pose a risk to the personal safety of end-users.

More, less or similar to leakage when people use non-FQDN and their search path create surprises?

   This document aims to provide a problem statement that will inform
   future work.  Whilst security and privacy are fundamental
   considerations, this document expects that that future work will
   include such analysis, and hence no attempt is made to do so here.

See among other places SAC-057 <https://www.icann.org/en/system/files/files/sac-057-en.pdf>

   Patrik