Re: [DNSOP] Proposal for a side-meeting on services centralization at IETF 104 Prague

Paul Vixie <paul@redbarn.org> Thu, 14 March 2019 05:32 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EFD012705F; Wed, 13 Mar 2019 22:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8eq3u_5h-ckt; Wed, 13 Mar 2019 22:32:52 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337FD127994; Wed, 13 Mar 2019 22:32:52 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 4A608892C6; Thu, 14 Mar 2019 05:32:51 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Ted Lemon <mellon@fugue.com>
Cc: dnsop@ietf.org, Vittorio Bertola <vittorio.bertola@open-xchange.com>, doh@ietf.org, dns-privacy@ietf.org, hrpc@irtf.org
Date: Thu, 14 Mar 2019 05:32:48 +0000
Message-ID: <4425132.CsHbCTgi9Z@linux-9daj>
Organization: Vixie Freehold
In-Reply-To: <D97261BB-1D62-400F-8EBD-886B5BA586BD@fugue.com>
References: <20190311170218.o5hitvysuefhjjxk@nic.fr> <2044747.4WdMZHU4Qz@linux-9daj> <D97261BB-1D62-400F-8EBD-886B5BA586BD@fugue.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T1eJpsO7BP2C2JVBGlFOLpxsT9w>
Subject: Re: [DNSOP] Proposal for a side-meeting on services centralization at IETF 104 Prague
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 05:32:54 -0000

On Thursday, 14 March 2019 00:48:53 UTC Ted Lemon wrote:
> On Mar 12, 2019, at 2:52 PM, Paul Vixie <paul@redbarn.org> wrote:
> > please do not relegate discussions about the loss of operator control over
> > the RDNS control plane
> 
> Although it’s certainly true that DNS is used as a control plane by many
> operators, there is no standard “RDNS control plane.”   ...

i don't think lack of standardization is the same as not existing. devices 
which honour the dhcp-assigned rdns service, work as expected, and as 
intended. devices who ignore that setting and seek their own rdns by their own 
internal configuration, will often not work at all.

because many of us amend our locally visible dns namespace with things like 
.corp or .home or .local, it's even more vital that devices respect the rdns 
assignment i make. the dns content i want to be visible on my network, have to 
be visible on my network.

because many of us won't allow pirate or malware or otherwise undesired DNS 
lookups to succeed, either because we don't like the name, or we don't like 
the result of the query, or we don't like some name server that would be 
involved in resolving it. the dns content i don't want to be visible on my 
network, have to not be visible on my network.

from the days before dhcp when we typed these numbers in by hand, until now, 
it has always been the expectation that rdns was part-and-parcel of local 
network service. no different in that regard from dhcp or arp, neither of 
which is standardized under the heading, "control plane", yet, are.

so i think i'm not going to follow you down this terminological rabbit hole. 
the reason that internet creations of yours will work better on my network if 
you treat the rdns as part of my control plane is, because it's my network and 
that's how i operate it. you're not welcome to bypass it, nor answer dhcp 
requests when you're not my dhcp server, nor answer arp requests when you 
aren't the device i assigned that address to.

you can call that tautological if you wish. but it's the life my networks 
lead. external DoH providers are explicitly not welcome to provide service to 
malware or intruders who get into my network -- because rdns is part of my 
control plane, and like arp and dhcp, i control it and i monitor it, for 
$reasons.

> The problem with the discussion we’ve been having about DoH and how it
> affects your “RDNS control plane” is that we’re talking past each other,
> not that the discussion should be had elsewhere.   It’s fine for there to
> be a discussion, but if there is going to be a discussion, participants
> need to engage constructively, and not just fling slogans at each other.

i think i've flung considerably more than slogans, and, it's been exhausting.

vixie