Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document

Alex Bligh <alex@alex.org.uk> Mon, 24 October 2011 11:55 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B590921F87D3; Mon, 24 Oct 2011 04:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95J0Z4Do5UMZ; Mon, 24 Oct 2011 04:55:47 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [IPv6:2001:41c8:10:1dd::10]) by ietfa.amsl.com (Postfix) with ESMTP id C771521F8C60; Mon, 24 Oct 2011 04:55:33 -0700 (PDT)
Received: from [192.168.100.15] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 3D8D8C560FA; Mon, 24 Oct 2011 12:55:30 +0100 (BST)
Date: Mon, 24 Oct 2011 12:55:29 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Keith Moore <moore@network-heretics.com>
Message-ID: <AFC2B32D1BE5A9E449B8D8A1@Ximines.local>
In-Reply-To: <EEE0996F-FE4D-4ECF-A685-DD69DFCC87B9@network-heretics.com>
References: <F2045A70-6314-41CF-AC3C-01F1F1ECF84C@network-heretics.com> <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com> <628C128E-BDA8-46C3-BF07-364A482FE199@network-heretics.com> <20111024.080822.74700976.sthaug@nethelp.no> <59274CC1-611A-445B-A1CF-A0F49329DC1F@network-heretics.com> <E68B291B136EE9E8CFBF68F0@Ximines.local> <EEE0996F-FE4D-4ECF-A685-DD69DFCC87B9@network-heretics.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Mailman-Approved-At: Mon, 24 Oct 2011 04:58:39 -0700
Cc: mif@ietf.org, matt@conundrum.com, dnsop@ietf.org, dnsext@ietf.org, pk@isoc.de, Alex Bligh <alex@alex.org.uk>, dhcwg@ietf.org, denghui02@hotmail.com
Subject: Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2011 11:55:48 -0000

--On 24 October 2011 07:29:55 -0400 Keith Moore 
<moore@network-heretics.com> wrote:


>>> I'm just pointing out that for the vast majority of the contexts in
>>> which domain names are used, the expectation is that a domain name that
>>> contains a "." is fully-qualified.
>>
>> This is sampling bias.
>
> No, I don't think so.  The vast majority of contexts where domain names
> are used, are contexts in which the domain is supplied by one party and
> (at least potentially) used by another party.  Email addresses, URLs,
> domain names written on advertisements and business cards, etc.

Of course, but that explicitly excludes every case where a search
list is useful. That's why I'm saying you have to look at the
cases were a search list is used. In large organisations "domain names"
(used loosely) can have dots in and be expected to have
search list items appended. Given search list use is rare,
it's obviously going to be rare to have them with dots.

>> The question here should be "where search lists are used, are
>> they frequently used in combination with domain names that
>> are not fully qualified". I would suggest the answer to this
>> question is "yes".
>
> That's not a useful way to phrase the question, because there's no way
> for software to know whether or not the user intends that a name
> containing "." is fully-qualified.

You are begging the question. Of course the name "foo.bar" is
ambiguous. That's precisely /why/ there is a search list, so
foo.bar is only looked up if foo.bar.example.com (or whatever)
does not exist. The existence of the "if" step means that the
software cannot know what the domain means (in the sense
of what it will ultimately resolve to) without doing a lookup.

>> If so, then to the extent that search lists
>> are supported, you need to make them interwork names with
>> dots in them. Moreover, with a search list of "example.com",
>> having "mail" work, but not "mail.dev" is going to be a
>> pretty surprising outcome.
>
> It will be surprising to that relatively small portion of users that
> relies on search lists being applied to multi-label names.   But overall,
> having a clear, visible distinction between names for which searching is
> potentially applied (i.e. bare or single-label names), and names for
> which searching is not applied (multi-label names) results in less
> surprising behavior for everyone.

I do not think you have established that a relatively small number
of users of search lists use multi-label names. I suspect that
is not true.

>> I think the two options are either deprecating search lists
>> (or not supporting them), or supporting them properly, in
>> which case they must be used whatever domain name is
>> specified, and the way to avoid using a search list
>> is the same old hack as before (i.e. putting a dot on the
>> end).
>
> Supporting search lists "properly" is NOT using them whenever a domain
> name is specified.  That makes all domain names context-sensitive, and
> breaks every application that uses domain names supplied by other parties
> or in other contexts.

I don't have RFC references to hand, but precisely for the reasons you have
set out above, I do not believe there is anything within them that search
lists should only be used if "a domain name is specified", precisely
because it's impossible to tell whether a string with dots in it is "a
domain name", or merely something to go on the front of search lists.

What you are, I think, saying, is that you want to change the behaviour of
search lists so they only work with single labels. What I'm saying is that
there are likely to be a significant number of users of search lists who
are affected by that, as they currently pass things with dots in them. A
completely unscientific analysis I know, but every internet company I have
worked with since we moved out of uucp naming has done this, and not
because I have told them to. Even current 20 person software house does
this. So, if you are going to substantially break search lists (which is
not inherently a bad idea - they have caused all sorts of trouble in times
past), you might as well just deprecate them or not support them.

-- 
Alex Bligh