Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document

Keith Moore <moore@network-heretics.com> Mon, 24 October 2011 12:16 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AB221F8D07; Mon, 24 Oct 2011 05:16:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.361
X-Spam-Level:
X-Spam-Status: No, score=-3.361 tagged_above=-999 required=5 tests=[AWL=-0.362, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvmIR3Gn0xsE; Mon, 24 Oct 2011 05:16:21 -0700 (PDT)
Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by ietfa.amsl.com (Postfix) with ESMTP id B413C21F8D06; Mon, 24 Oct 2011 05:16:21 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 2C8A0200CE; Mon, 24 Oct 2011 08:16:21 -0400 (EDT)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute3.internal (MEProxy); Mon, 24 Oct 2011 08:16:21 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id :references:to; s=smtpout; bh=UmQDL+lxJSKsSYskY8PEi/zl51Q=; b=Q/ OdCbFI4DrI5390aHKwofEJs5wiLNbOsOL1oFdbX4547tPKTKK8log8HJHi0I11K9 K8qmehl+buwAHP37Bk+Sjwn8Ofm5hW2IY9CoAfk2tEf0D/xDa4HG/GkW+OObAOhX BoSNlUreY046ykOjtgbGj1yCcmXrbNBbbw7vtX2/g=
X-Sasl-enc: nGCVSs1QPiuJ+WId8Q20kbu/o7g5mPJG///tgD0gq41j 1319458580
Received: from [192.168.1.16] (host65-16-145-177.birch.net [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id B08764833D6; Mon, 24 Oct 2011 08:16:18 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <AFC2B32D1BE5A9E449B8D8A1@Ximines.local>
Date: Mon, 24 Oct 2011 08:16:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <FAB38B5D-9B44-4B25-9268-9DE4A5DDC9FE@network-heretics.com>
References: <F2045A70-6314-41CF-AC3C-01F1F1ECF84C@network-heretics.com> <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com> <628C128E-BDA8-46C3-BF07-364A482FE199@network-heretics.com> <20111024.080822.74700976.sthaug@nethelp.no> <59274CC1-611A-445B-A1CF-A0F49329DC1F@network-heretics.com> <E68B291B136EE9E8CFBF68F0@Ximines.local> <EEE0996F-FE4D-4ECF-A685-DD69DFCC87B9@network-heretics.com> <AFC2B32D1BE5A9E449B8D8A1@Ximines.local>
To: Alex Bligh <alex@alex.org.uk>
X-Mailer: Apple Mail (2.1084)
X-Mailman-Approved-At: Mon, 24 Oct 2011 05:42:10 -0700
Cc: mif@ietf.org, matt@conundrum.com, dnsop@ietf.org, dnsext@ietf.org, pk@isoc.de, dhcwg@ietf.org, denghui02@hotmail.com
Subject: Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 12:16:22 -0000

On Oct 24, 2011, at 7:55 AM, Alex Bligh wrote:

> 
> 
> --On 24 October 2011 07:29:55 -0400 Keith Moore <moore@network-heretics.com> wrote:
> 
> 
>>>> I'm just pointing out that for the vast majority of the contexts in
>>>> which domain names are used, the expectation is that a domain name that
>>>> contains a "." is fully-qualified.
>>> 
>>> This is sampling bias.
>> 
>> No, I don't think so.  The vast majority of contexts where domain names
>> are used, are contexts in which the domain is supplied by one party and
>> (at least potentially) used by another party.  Email addresses, URLs,
>> domain names written on advertisements and business cards, etc.
> 
> Of course, but that explicitly excludes every case where a search
> list is useful.

That's the point - search lists are not appropriate most of the time, and it's very hard for software to distinguish the cases where they are potentially appropriate from the cases when they're not, and it's not possible for software to do this in all cases.

The presence or absence of a '.' is a simple and easily-understood convention.  It might be somewhat inconvenient for large organizations that currently rely on search lists for multi-label names, but overall that's a small price to pay in exchange for having consistent behavior of domain names across the board.  

The only reason that those organizations have managed to get away with it so far is that TLDs (particularly TLDs with more than 2 characters) have been relatively few in number.  But with vanity TLDs this will no longer be the case.

>>> The question here should be "where search lists are used, are
>>> they frequently used in combination with domain names that
>>> are not fully qualified". I would suggest the answer to this
>>> question is "yes".
>> 
>> That's not a useful way to phrase the question, because there's no way
>> for software to know whether or not the user intends that a name
>> containing "." is fully-qualified.
> 
> You are begging the question. Of course the name "foo.bar" is
> ambiguous.

No, it's not ambiguous.  It's fully qualified.  

> That's precisely /why/ there is a search list, so
> foo.bar is only looked up if foo.bar.example.com (or whatever)
> does not exist.

That's insane.   That allows a local enterprise to change the meaning of every domain name.  Domain names are supposed to have the same meaning everywhere in the Internet.

>>> If so, then to the extent that search lists
>>> are supported, you need to make them interwork names with
>>> dots in them. Moreover, with a search list of "example.com",
>>> having "mail" work, but not "mail.dev" is going to be a
>>> pretty surprising outcome.
>> 
>> It will be surprising to that relatively small portion of users that
>> relies on search lists being applied to multi-label names.   But overall,
>> having a clear, visible distinction between names for which searching is
>> potentially applied (i.e. bare or single-label names), and names for
>> which searching is not applied (multi-label names) results in less
>> surprising behavior for everyone.
> 
> I do not think you have established that a relatively small number
> of users of search lists use multi-label names. I suspect that
> is not true.

My assumption is that search lists in conjunction with multi-label names are mostly used within fairly large enterprises, but search lists are potentially in much wider use.

>>> I think the two options are either deprecating search lists
>>> (or not supporting them), or supporting them properly, in
>>> which case they must be used whatever domain name is
>>> specified, and the way to avoid using a search list
>>> is the same old hack as before (i.e. putting a dot on the
>>> end).
>> 
>> Supporting search lists "properly" is NOT using them whenever a domain
>> name is specified.  That makes all domain names context-sensitive, and
>> breaks every application that uses domain names supplied by other parties
>> or in other contexts.
> 
> I don't have RFC references to hand, but precisely for the reasons you have
> set out above, I do not believe there is anything within them that search
> lists should only be used if "a domain name is specified", precisely
> because it's impossible to tell whether a string with dots in it is "a
> domain name", or merely something to go on the front of search lists.
> 
> What you are, I think, saying, is that you want to change the behaviour of
> search lists so they only work with single labels. What I'm saying is that
> there are likely to be a significant number of users of search lists who
> are affected by that, as they currently pass things with dots in them.

No disagreement on that point.  But search lists always have been broken.  It's just unfortunate that DNS APIs have supported them for so long, and their behavior has become entrenched in several organizations (including some that ought to know better).

My belief is that local names (i.e. bare or single-label names) are useful and necessary but their behavior cannot really be standardized.  So letting them continue to be subject to search lists is a useful compromise that is less drastic than doing away with search lists entirely.  It also has the virtue of being a simple rule that users can easily understand (a name with a "." is always fully qualified and usable in a global context, a name without a "." is ambiguous and only useful in a local context).

Keith