Re: [DNSOP] Review of draft-livingood-dns-redirect-00
Dave CROCKER <dhc2@dcrocker.net> Fri, 17 July 2009 17:02 UTC
Return-Path: <dhc2@dcrocker.net>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0C513A6886 for <dnsop@core3.amsl.com>; Fri, 17 Jul 2009 10:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfNACTE3XvKE for <dnsop@core3.amsl.com>; Fri, 17 Jul 2009 10:02:02 -0700 (PDT)
Received: from sbh17.songbird.com (unknown [IPv6:2001:470:1:76:0:ffff:4834:7147]) by core3.amsl.com (Postfix) with ESMTP id 52B543A6B32 for <dnsop@ietf.org>; Fri, 17 Jul 2009 10:02:01 -0700 (PDT)
Received: from [10.39.142.45] ([131.107.204.126]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n6HH2LoR009728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Jul 2009 10:02:29 -0700
Message-ID: <4A60AE97.1090701@dcrocker.net>
Date: Fri, 17 Jul 2009 10:02:15 -0700
From: Dave CROCKER <dhc2@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
References: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
In-Reply-To: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Fri, 17 Jul 2009 10:02:31 -0700 (PDT)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2009 17:02:03 -0000
Jason, et al, This note suggests changes in both style and detail in draft-livingood-dns-redirect-00. All of the points made here have been made or suggested by others in this thread; my intent is to underscore and elaborate on those points, rather than to challenge development and publication of the draft. I’ve seen enough postings to convince me that there actual is existing practice with significant deployment. The goal of the draft is to document that behavior. Debating whether the mechanism is ever reasonable or appropriate to deploy – and what alternatives might be more reasonable and appropriate might be productive, but not as part of the current exercise. The current exercise is one of technical specification. Given the coincidental timing, however, it’s worth citing a paper being presented at the CEAS conference today: Anti-Phishing Landing Page: Turning a 404 into a Teachable Moment for End Users <http://ceas.cc/papers-2009/ceas2009-paper-37.pdf> A few specific points: As with others, I think the draft needs to remove its promotional, persuasive or legalistic vocabulary. It’s a technical document, attempting to specify existing practice. So it should focus on technical details and operational trade-offs, without trying to sell the reader or protect against lawsuits. When the document recommends a particular choice, it should simply use RFC 2119 vocabulary. To the extent that there are tradeoffs, simply state what they are and which one(s) the document prefers (and possibly in what context.) That is, what technical or operational characteristics provide the basis for a particular recommendation? The long thread of discussion on the dnsop list has cited a number of alternative mechanisms for accomplishing the same, or similar, goals as the one described in the draft. To properly establish the context for use of this particular mechanism, the draft should diligently include all of these in its discussion of background, choices and tradeoffs. Not to debate the alternatives, and not to provide an extensive tutorial, but to explain the pragmatic reasons that the mechanism being specified is (regularly?) chosen in preference to those alternatives. The thread discussion has also produced references to a small, but very interesting, set of RFCs. These documents provide a rich background of relevant material; so the draft should carefully include each of these citations and discuss them in terms of the draft. Besides being basic due diligence, such a discussion might mitigate some people’s concerns about the mechanism specified in the draft. The draft’s discussion about the presence of DNSSec contains a nice case analysis of various configurations and scenarios, explaining how the mechanism works within each scenario. However it is easy to miss a key fact that the draft should provide in a simple, summary statement: When DNSSec validation is performed by the user’s resolver, this mechanism will fail. While the user will be denied access to the potentially problematic address, they will not not land at the alternative address. That is, this mechanism has long-term viability only when a user’s resolver does not implement DNSSec and, instead, relies on their operational infrastructure to validate DNS data. The draft specifies a mechanism that appears to work properly only for a single application service, namely the Web. Yet it characterizes all other services as exceptions. Instead, the draft should cast the mechanism as intended only for a single application and should provide substantive discussion about either how other services will continue to operate or why disrupting them is acceptable. This discussion is really the basis for understanding when the mechanism can be practical to deploy and when it cannot. A deeper issue: The draft demonstrates some confusion about the architectural role of the service it is specifyhing. Various postings on the mailing list discussion have offered a variety of alternative labels to refer to the mechanism; this serves to highlight the potential for misunderstanding what the specified service really is and when it is really reasonable to use. This could be caused by a pervasive confusion about the model for DNS service that this draft is affecting. A cliché in the technical community is that the only lesson of the Internet is scaling. While scaling to the level of a global Internet does teach quite a lot, its lesson does not seem to be as challenging as that of mediation. Networking is about mediated exchange. At every level, and for nearly all services, mediation mechanisms come into play: Between two principals, there are typically agents in the path, providing assistance. Some assistance is simply routing and forwarding. Other assistance plays with the payload. Assistance can be supplied by an agent of one of the principals – that is, at one end of the path – or by an independent operator along the path. These are important differences. IP routers and email relays, for example, route and forward an object (and its header) without modifying either. NATs, v4/v6 gateways and email gateways dive into the object (and its header) and make substantive – semantic – changes. Changing the endpoint identifier – that is, specification of the target address – is a major change, every bit as much as changing the “content”. The draft specifies a mechanism that does both. DNS vocabulary uses the word “resolver” to refer to one of the end-points and potentially one or more of the mediators in an exchange. This can be confusing. Equally, the term “redirect” is historically used to refer to a response by a principal, to specify an alternative address for the desired information. In contrast, in the draft, the term is used by 1) an intermediary, 2) to change the underlying nature of the provided information. As such, the mechanism is not a “resolver”. It is something else. In other words, the nature and details of the specified mechanism are quite different than what its terminology is typically used for. So I suggest changing the vocabulary and discussion, to avoid the confusion. Getting a usable term that is both noticeably different from “resolver” and meaningfully descriptive appears to be a challenge. “Intercept” is tantalizing but semantically inaccurate. “Proxy” might be the best compromise term, since other proxies tend to do translations, too. Personally, I’d wish for a word that is a little more striking, since the function is striking, but “proxy” is the best I’ve been able to come up with. What is essential is to make sure that the label does not permit one to think that this module is anything like a normal resolver. As with others, I suspect it is important to have the document more strongly distinguish between modified behaviors that occur because a government requires it, versus those triggered by some sort of blocklist, versus a simple NXDomain response. While the draft already cites these distinctions, I suspect there are design and/or operational differences for the different cases. At the least, the potential for differential handling should be discussed. If they all result in the same processing, that should be explained. Most importantly, the specification needs to characterize the environments in which it can be successfully deployed, versus others whereas it cannot. My current understanding is that the mechanism can work acceptably only in walled gardens (edge networks), where the operator has defined a substantially constrained user environment. In such places, email and other services are highly mediated by the operator. So the describee mechanism does not get in their way. Being clear about the pragmatic constraints that are required appears to be an interesting challenge for the paper. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- [DNSOP] Review of draft-livingood-dns-redirect-00 Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Evan Hunt
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Dan Wing
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ralf Weber
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jelte Jansen
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jelte Jansen
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Antoin Verschuren
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Rose, Scott W.
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ray.Bellis
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Todd Glassey
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… YAO Jiankang
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Alan Barrett
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ray.Bellis
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… k claffy
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… George Barwood
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Eric Brunner-Williams
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andreas Gustafsson
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jeroen Massar
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jeroen Massar
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- [DNSOP] DNS redirection for fun and profit Jim Reid
- Re: [DNSOP] DNS redirection for fun and profit David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Antoin Verschuren
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andreas Gustafsson
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jim Reid
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jim Reid
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Eric Brunner-Williams
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… John Schnizlein
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Dave CROCKER
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Rob Austein