Re: [mif] [dnsext] [DNSOP] 2nd Last Call for MIF DNS server selection document

Mark Andrews <marka@isc.org> Tue, 25 October 2011 00:09 UTC

Return-Path: <marka@isc.org>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5DFE21F8C4A; Mon, 24 Oct 2011 17:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.259
X-Spam-Level:
X-Spam-Status: No, score=-2.259 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, J_CHICKENPOX_51=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6UpPCwVf8ZW; Mon, 24 Oct 2011 17:09:23 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 9C91621F8C09; Mon, 24 Oct 2011 17:09:22 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 5EFE85F984C; Tue, 25 Oct 2011 00:09:02 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 507EA216C6A; Tue, 25 Oct 2011 00:08:55 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 61F9815CE347; Tue, 25 Oct 2011 11:08:53 +1100 (EST)
To: Lawrence Conroy <lconroy@insensate.co.uk>
From: Mark Andrews <marka@isc.org>
References: <F2045A70-6314-41CF-AC3C-01F1F1ECF84C@network-heretics.com> <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com> <628C128E-BDA8-46C3-BF07-364A482FE199@network-heretics.com> <20111024.080822.74700976.sthaug@nethelp.no> <59274CC1-611A-445B-A1CF-A0F49329DC1F@network-heretics.com> <E68B291B136EE9E8CFBF68F0@Ximines.local> <EEE0996F-FE4D-4ECF-A685-DD69DFCC87B9@network-heretics.com> <AFC2B32D1BE5A9E449B8D8A1@Ximines.local> <FAB38B5D-9B44-4B25-9268-9DE4A5DDC9FE@network-heretics.com> <4EA5D012.9090708@dougbarton.us> <CB52BAAF-F38F-4815-9B91-4656F1F3837F@insensate.co.uk>
In-reply-to: Your message of "Mon, 24 Oct 2011 22:34:23 BST." <CB52BAAF-F38F-4815-9B91-4656F1F3837F@insensate.co.uk>
Date: Tue, 25 Oct 2011 11:08:53 +1100
Message-Id: <20111025000853.61F9815CE347@drugs.dv.isc.org>
Cc: dnsop@ietf.org, mif@ietf.org, dnsext@ietf.org
Subject: Re: [mif] [dnsext] [DNSOP] 2nd Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2011 00:09:23 -0000

In message <CB52BAAF-F38F-4815-9B91-4656F1F3837F@insensate.co.uk>uk>, Lawrence Con
roy writes:
> Hi there Doug, Keith, folks,
>  Speaking of broken mechanisms ... how many dots?
> arstechnica.com is OK
>       co.uk is not OK
> 
> ndots strikes me as a chocolate soldier in the fire used to warm the 
> chocolate teapot that is search lists.
> 
> At best these are context dependent (and keep IT support in business). At 
> worst ...
>  one day I WILL be arrested for tazering the bean counter (why is it 
> always one of
>  those?) who insists that "intranet" is a fine web server name useful 
> anywhere.
> 
> [I came damn close a few times with Yankee hotel reservations accessible 
> only via
>  1-800 'phone numbers]
> 
> Speaking of interoperability -- the comment "it works for everyone here" 
> is not
>  a good sign that the solution is interoperable.
> 
> IMO, search lists and ndots are both abominations, and should not be 
> given the oxygen of publicity.
> 
> all the best,
>   Lawrence
> 
> 
> 
> On 24 Oct 2011, at 21:52, Doug Barton wrote:
> > On 10/24/2011 05:16, Keith Moore wrote:
> >> That's the point - search lists are not appropriate most of the time, 
> and it's very hard for software to distinguish the cases where they are 
> potentially appropriate from the cases when they're not, and it's not 
> possible for software to do this in all cases.
> > 
> > There's been something missing from this discussion, and I finally put
> > my finger on it. TMK most stub resolvers have an option similar to this
> > one from ISC's:
> > 
> > ndots:n
> >        sets a threshold for the number of dots which
> >        must appear in a name given to res_query() (see
> >        resolver(3)) before an initial absolute query
> >        will be made.  The default for n is “1”, mean‐
> >        ing that if there are any dots in a name, the
> >        name will be tried first as an absolute name
> >        before any search list elements are appended to
> >        it.
> > 
> > So it seems that this question is already a matter of local policy,
> > which given the number and quality of the divergent views seems
> > eminently reasonable. Can we move on now?
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

In many cases when ndots is not 1 there are no DNS entries that
will match <any-tld>.<search-list-entry>.  That said the set of
<any-tld> is growing so it is going to get harder and harder to
ensure that this condition is being met.

Walled gardens shouldn't be creating their own TLDs.  ISP's, hotspots,
etc. should not be search list at all.  The definitely should not
be relying on "label" being found on a search list.

As far as I can tell there are only two places where setting search
list make sense.

	1. Enterprises.
	2. Homes.

Everywhere else you DO NOT control the machine requesting the address
and setting search lists could actually result in criminal prosecution.
Just because the machine requested a search list it doesn't mean
that you should be supplying one.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org