IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-isp-ip6rdns

Stephane Bortzmeyer <bortzmeyer@nic.fr> Fri, 29 April 2016 08:59 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C56312D09E for <dnsop@ietfa.amsl.com>; Fri, 29 Apr 2016 01:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.896
X-Spam-Level:
X-Spam-Status: No, score=-7.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLlChoG4sAjw for <dnsop@ietfa.amsl.com>; Fri, 29 Apr 2016 01:59:22 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B7DB12B04D for <dnsop@ietf.org>; Fri, 29 Apr 2016 01:59:22 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 8EB9D280165; Fri, 29 Apr 2016 10:59:20 +0200 (CEST)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id 89472280149; Fri, 29 Apr 2016 10:59:20 +0200 (CEST)
Received: from bortzmeyer.nic.fr (unknown [IPv6:2001:67c:1348:7::86:133]) by relay1.nic.fr (Postfix) with ESMTP id 822764C0040; Fri, 29 Apr 2016 10:58:50 +0200 (CEST)
Date: Fri, 29 Apr 2016 10:58:50 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <20160429085850.GB28160@nic.fr>
References: <9c79a64e-9317-75fd-6592-25fd76cfd47f@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9c79a64e-9317-75fd-6592-25fd76cfd47f@gmail.com>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.3.0-1-686-pae i686
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/EDoz70_qyF_LIP-KPGcfOQV4Rpw>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-isp-ip6rdns
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 08:59:24 -0000

On Mon, Apr 25, 2016 at 04:50:42PM -0400,
 Tim Wicinski <tjw.ietf@gmail.com> wrote 
 a message of 24 lines which said:

> This starts a Working Group Last Call  for draft-ietf-dnsop-isp-ip6rdns

Summary: I think it must *not* be published as it is.

The biggest problem is that it fails to explain why it is necessary to
provide a PTR. RFC 1912, quoted, is just informational and its
sentence "Every Internet-reachable host should have a name" does not
use RFC 2119 terms. RFC 1912 was written in 1996 when one computer per
home was already a lot! Now, every home has four or five connected
machines and it will probably increase a lot in the next years. I see
no point in giving a PTR to any Internet-connected printer or
webcam. (And it raises privacy issues, see my last remark.)

It seems this document did not take into account the lessons from the
failure of draft-ietf-dnsop-reverse-mapping-considerations (which is
in the references but never mentioned in the draft, something that the
RFC editor will complain about). Basically, it seems there is no
consensus inside IETF about the PTR so this draft should be careful.

Now, the details:

> Some network services perform a PTR lookup on the source address of
> incoming packets before performing services.

True, but it does not say what they do with the result. Example: by
default, Postfix does a PTR request on the IP address of the incoming
client but, by default, does nothing if it returns a NXDOMAIN.

> 2.1.  Negative Response

The entire paragraph is very confused and mixes a timeout and a
NXDOMAIN. It must be rewritten to say that timeouts (whether because a
lame delegation or not) MUST NOT happen but a NXDOMAIN is a perfectly
legitimate response.

> In fact, this kind of delegation will not work for devices complying
> with [RFC6092], which includes the requirement,

This requirment is for resolvers (because of RFC 5358) and does not
apply here where you talk about authoritative service.

> Most users have neither the equipment nor the expertise to run DNS
> servers, so this option is unavailable to the residential ISP.

Let's be more careful: "this option cannot be a general solution today
to the residential ISP."

> Providing location information in PTR records is useful for
> troubleshooting, law enforcement, and geolocation services, but for
> the same reasons can be considered sensitive information.

You could also mention that these information are not validated in any
way; the people can lie. And, if you force them to provide a PTR, they
will lie, for privacy reasons.

v2.23.0 | Report a Bug | By Email