Re: [DNSOP] Brian Haberman's No Record on draft-ietf-dnsop-root-loopback-04: (with COMMENT)

["Paul Hoffman" <paul.hoffman@vpnc.org>]

On 30 Sep 2015, at 8:26, Brian Haberman wrote:

>>>>> ----------------------------------------------------------------------
>>>>> COMMENT:
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> I can't decide if I should ballot Yes because this document does a 
>>>>> good
>>>>> job of describing how to deploy this approach or Abstain because 
>>>>> the
>>>>> fragility introduced in this approach appears to be untenable.
>>>>>
>>>>> In the meantime, can someone explain why this document is stating 
>>>>> a
>>>>> requirement to deploy this approach with IPv4 only?
>>>>
>>>> Yes. Given that this is running on loopback, it doesn't matter if 
>>>> the
>>>> service is running on either the v4 or v6 loopback address. Unless 
>>>> a
>>>> system running this service has absolutely no v4 at all (it doesn't 
>>>> even
>>>> need to be offering v4 service to customers), the v4 loopback 
>>>> address is
>>>> sufficient.
>>>>
>>>> There seems to be wide disagreement about what is the v6 loopback
>>>> address: some of these addresses exist on some v6 systems but not
>>>> others, or so we were told. If there is a v6 loopback address that 
>>>> is
>>>> universally deployed (as 127/8 is for v4), we can add it, although 
>>>> it
>>>> won't actually make this more deployable.
>>>>
>>>> --Paul Hoffman
>>>
>>> I am not sure how much clearer the definition of IPv6 loopback could 
>>> be
>>> (https://tools.ietf.org/html/rfc4291#section-2.5.3).  Of course, if 
>>> it
>>> is an implementation issue, there is not much the IETF can do.
>>>
>>> Thanks for the quick response.
>>
>> If the WG agrees that 0:0:0:0:0:0:0:1 is always present, we can
>> certainly add that to the document. I now cannot find any on-list
>> mention of why this isn't useful in all v6-capable systems, so it 
>> might
>> have been a hallway conversation.
>
>
> It seems like the WG can cover both address families by simply making
> these changes:
>
> OLD:
>
>  o  The system MUST be able to run an authoritative server on one of
>     the IPv4 loopback addresses (that is, an address in the range
>     127/8).
>
> NEW:
>
>  o  The system MUST be able to run an authoritative server on one of
>     the loopback addresses (that is, an address in the range
>     127/8 for IPv4 or ::1 in IPv6).
>
> OLD:
>
>  2.  Start the authoritative server with the root zone on a loopback
>      address that is not in use.  This would typically be 127.0.0.1,
>      but if that address is in use, any address in 127/8 is
>      acceptable.
>
> NEW:
>
>  2.  Start the authoritative server with the root zone on a loopback
>      address.  This would typically be 127.0.0.1 in IPv4 or ::1 in
>      IPv6.
>
> Why does the document say that the address should not be in use?

I'll add the v4/v6 wording to the post-IESG-review draft unless there is 
objection in the WG.

John Levine just answered your question about why the address might 
already be in use, which was something that was brought up in the early 
discussion of this draft in the WG. It means that you can't run both 
this and some other DNS-listening task on ::1, whereas you can run both 
on different addresses in 127/8. We'll cover that in the new wording.

--Paul Hoffman