IETF Logo Mail Archive

Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>

Ted Lemon <mellon@fugue.com> Thu, 11 April 2024 20:33 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C5DFC14F705 for <ipv6@ietfa.amsl.com>; Thu, 11 Apr 2024 13:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgCZevnmaPfE for <ipv6@ietfa.amsl.com>; Thu, 11 Apr 2024 13:33:28 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A82C14F702 for <ipv6@ietf.org>; Thu, 11 Apr 2024 13:33:27 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-78d620408f8so11637685a.3 for <ipv6@ietf.org>; Thu, 11 Apr 2024 13:33:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1712867606; x=1713472406; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kCj7Ayln1XJZesK+HIh7CR6KOTcWz4lUgCYhVkFDVrs=; b=hM9of+M5JeHVt2sKJBD/TYahScPW+F0UJwWlvtvzgRhhVej70ZRq7TmReVpce1I46J ODzSjeQp3V6NidLNkgnLVS8Yb6JLGSDfRNMur34X+RlyBRMLaX3yLNY6xB7PbAIGMWHN 5SeC4A88xm4odWTn91Zk8FxprjcBy6SwC6CPGLTRyyCOLAXHTruKcwpNQnn1xJiQ+J1K C1e2LzgIFO5PLdEZ3MpRVcLNd/YASZQ7t+DvmWxbticqWQhHCmcaCBZMVY1ccO4uGJUT s2uy8FeQhPhWvjYJqRLxm1L5r+5OYg9tysPlYSTyl/nCF3NEv2UaWmiXo4Ce6vizBphm McZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712867606; x=1713472406; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kCj7Ayln1XJZesK+HIh7CR6KOTcWz4lUgCYhVkFDVrs=; b=D1jI7+cOfYhNSWzBwTUaDu5cp2r2FybftFc8mxp6NN+a0M5xhJhbyIqewpFegwZGGJ Xk7+PThwhcBquvnXZacwIQuDe4EJw1pt9StVuodAAdEBNpKaYDXYSDvjT1Lw/0iN95DG 6/qcOpngKDp4z93XhQwXXVyaIKZdYU5qqyB0j2b5yXzD5+n+q9VZ0dEbe0vxJGxSyiJ9 7WOruK7siWQjgCWsLtWsJvK6O6n/d+Ow++Er95lKOyRaYiG3IuxG2eSaqFcfszxbsq/g vuUotG02MwhMOdamSU1K2rlYZapWCpZ9LpcrkbxwAyXkwi4BxhOkgVidBf0eTMMolMwh lscg==
X-Forwarded-Encrypted: i=1; AJvYcCV1LHHAeeowanPwfKk1IMx9jaeJ57EeTZcCQvEr65iOEFx94wsudE9qPkPKeilbajF1gCzeWH3Ep6GyvTLq
X-Gm-Message-State: AOJu0YxNbqYbLror3zZzwSU4ajRFk8OdCPHJ4EAX4BZ8PZrAQIkxRsUs /kMqqAcfzS0DKwFyTP/IiZbxNNj39hD5DmWC4ztdMhzk9ayZwDK2q3k3pnTFsSUk5TrBEpFA06O 9IWWofh5TQlGpBI8oyjXDWlP5Uu7DPzGA1P18oQ==
X-Google-Smtp-Source: AGHT+IGeLb+7x+67TykNovsKeG4tMZPNLGgm7B2DhSxMsigfQT+V+xPiymBPq5K8xa0MUL00gMxc8uVPBEqQ2PIZMfY=
X-Received: by 2002:a0c:fb4d:0:b0:69b:4502:3fe5 with SMTP id b13-20020a0cfb4d000000b0069b45023fe5mr964675qvq.2.1712867606609; Thu, 11 Apr 2024 13:33:26 -0700 (PDT)
MIME-Version: 1.0
References: <6A5E5F35-B35F-4358-8EE1-3BD82329141E@jisc.ac.uk> <6FBC1B5A-BF28-4B05-B2B2-A60DA4707755@gmail.com> <CAPt1N1m-Ye8vfOVnsPesFshLMV5QuVoxWqM=HVZiJ37zaBg6AA@mail.gmail.com> <CAKD1Yr1NTvFj0zB0=+nnUKck7TBtwHFz2XoFkD1smx4yCuZohQ@mail.gmail.com> <CAJU8_nWyE5TqBTXB9wfSkn6refaqYNVN967YAtCp-0VMk-5qWQ@mail.gmail.com> <CAPt1N1mqszfafMMY=54ezpoRymoy=bBjeVnWzxj6A27smR1eig@mail.gmail.com> <CAJU8_nWDDfwWEoahU4dqTEh3_HCq2UfpkFjefnXohb+5DAbjew@mail.gmail.com> <CAPt1N1nTJ1sDEQrn1iNUbvreu5bt0BweWgX7iOw6fmPgNBvUqw@mail.gmail.com> <CAJU8_nWsg=eGxu59akfB0+pOTJ-TYud-a_wGhtgnpp1RizVhrw@mail.gmail.com> <CAPt1N1nbTuSH4GGrimFAxe3YqTLbhiTX5KVjYsw+JRjoadzzrw@mail.gmail.com> <CAN-Dau36qjfT5YCPWAhko-RKjj3Cqeo-r9csM0fOadcdehvhBQ@mail.gmail.com>
In-Reply-To: <CAN-Dau36qjfT5YCPWAhko-RKjj3Cqeo-r9csM0fOadcdehvhBQ@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 11 Apr 2024 16:32:50 -0400
Message-ID: <CAPt1N1kTv189Binap2r6PT-w2VbW31KGibSf_iPGPnnQ90CdYA@mail.gmail.com>
To: David Farmer <farmer@umn.edu>
Cc: Kyle Rose <krose@krose.org>, Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>, Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003d7cbc0615d8111f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/7YzlVVQ02GJ5G1sgfR0JBgL9ue0>
Subject: Re: [IPv6] Second Working Group Last Call for <draft-ietf-6man-rfc6724-update>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 20:33:30 -0000

Hm. In general I suspect that most of the time the stuff that's going to
get both a ULA and a GUA in the DNS doesn't need to be visible from outside
of a firewall. Like, the name isn't needed. I think it's very unlikely that
any resource that's ever going to go through a CDN would make sense to
advertise with a ULA. So I am not particularly attached to using ULAs in
names that are globally reachable.

But as you say, this is not a distinction that exists in the protocol
specification. So I agree with Kyle that it doesn't make sense to advertise
internal stuff globally with ULAs, and I agree with you that there are
plenty of domain names that are going to have AAAA records on them
containing ULAs as well as GUAs. I don't think this is quite contradictory.
Like, it's hard for me to imagine a situation where it would make sense for
the name www.google.com, even if it had AAAA records on it, to have AAAA
records containing ULAs.

On the other hand, names under internal.example.com might well have ULAs on
them. If these are discoverable from the Internet, that doesn't really
matter, because they are only intended for internal users. But generally
speaking internal resources are only accessible through a VPN anyway, so
it's a moot point—you're probably never going to see that delegation
answered on the Internet, and even if you did, there would be no real point
to putting GUAs in the delegation because anybody who needs to reach one of
those hosts has the VPN up, and if they don't we don't want those hosts to
be reachable.

On Thu, Apr 11, 2024 at 2:27 PM David Farmer <farmer@umn.edu> wrote:

>
> On Thu, Apr 11, 2024 at 8:29 AM Ted Lemon <mellon@fugue.com> wrote:
>
>> On Thu, Apr 11, 2024 at 8:51 AM Kyle Rose <krose@krose.org> wrote:
>>
>>> On Thu, Apr 11, 2024 at 8:41 AM Ted Lemon <mellon@fugue.com> wrote:
>>>
>>>> But this is counterfactual. Rght now if you publish a ULA in the global
>>>> DNS, it will not cause a delay because no host with IPv6 connectivity will
>>>> try to connect to it. We only run into a problem if we decide to prefer all
>>>> ULAs over all IPv4 addresses. That /will/ in fact cause delays.
>>>>
>>>
>>> Because something is misconfigured. Right now, that misconfiguration is
>>> hidden, and becomes visible only when IPv4 connectivity is broken for
>>> whatever reason. Fix the glitch, which is the ULA in global DNS.
>>>
>>
>> Kyle, I don't know if you can see this from where you're sitting, but you
>> are making a religious argument here. It is not a misconfiguration to put a
>> ULA in the DNS right now in the sense that it causes a problem. It's a
>> misconfiguration because it doesn't match your mental model of How Things
>> Should Be.
>>
>> I don't entirely disagree with you about this—I don't think that we ought
>> to put ULAs in the global DNS. But I don't actually have a solid argument
>> against Lorenzo's position—I just don't happen to agree with it.
>>
>
> I disagree with both of you. The distinction between local and global DNS
> only exists in the human mind. It doesn't exist in the DNS protocol or on
> the wire, except for the relatively recent availability of the .local
> zone.  And even with .local, there is no way to distinguish between
> different instances of .local. You don't know if a .local query is for or
> if the response is from your instance or my instance of .local. Except for
> the .local zone, there is no way to know if a query is intended to be
> global or local or if a response is global or local. The protocol on the
> wire is identical, and any distinction is a fiction of the human mind.
>
> Furthermore, ULAs are global in scope, and if implemented correctly, they
> are effectively unique globally. The only real question is whether they are
> reachable or not, and preferring known-local ULAs and not other ULAs speaks
> directly to the reachability question. Whether or not the ULAs belong in
> the DNS or not, and how the DNS is configured, is irrelevant. The real
> question is only if they are reachable or not, and again, known-local ULAs
> resolve this question.
>
> Thanks
>
>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>

v2.23.0 | Report a Bug | By Email