IETF Logo Mail Archive

Re: [mif] Last Call for MIF DNS server selection document

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 09 September 2011 22:59 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2439711E8081; Fri, 9 Sep 2011 15:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXrwXHtmrmT1; Fri, 9 Sep 2011 15:59:22 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 3712C11E8073; Fri, 9 Sep 2011 15:59:22 -0700 (PDT)
Received: from shinkuro.com (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 0466F1ECB41D; Fri, 9 Sep 2011 23:01:15 +0000 (UTC)
Date: Fri, 09 Sep 2011 19:01:15 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: mif@ietf.org, iesg@ietf.org
Message-ID: <20110909230115.GG46494@shinkuro.com>
References: <COL118-W599D9E8760C3E370077FC3B1140@phx.gbl> <4E683F9B.7020905@gmail.com> <916CE6CF87173740BC8A2CE4430969620256F33F@008-AM1MPN1-032.mgdnok.nokia.com> <4E692D62.5080902@gmail.com> <BFFE3312-4DE3-432D-8DC7-20987AB3E34A@network-heretics.com> <916CE6CF87173740BC8A2CE443096962025704BA@008-AM1MPN1-032.mgdnok.nokia.com> <0A7B9663-0C40-4D19-BDBE-7EB72430D47D@network-heretics.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0A7B9663-0C40-4D19-BDBE-7EB72430D47D@network-heretics.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [mif] Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 22:59:23 -0000

On Fri, Sep 09, 2011 at 05:29:20PM -0400, Keith Moore wrote:
> 
> Selecting a name server is one thing.  Standardizing a behavior that
> assumes that DNS name servers are specific to networks, is something
> else entirely.  It's a violation of the DNS architecture, which
> clearly assumes that DNS queries are location-independent.
> (Otherwise, it would not allow caching of query results without some
> awareness of the scope in which they are valid.)

First, I fully agree with this.  At the same time, in point of fact we
walked off the cliff some time ago.

> I realize that this is a slippery slope that IETF and the Internet
> have been sliding down for many years, given two-faced DNS,
> SiteFinder and other criminal acts, DNS interception proxies imposed
> by ISPs, certain dubious uses of LLMNR, DNS64, and several other
> things that break the architecture.  DNS is almost as polluted these
> days as IPv4 is.  But at some point it goes too far.

The problem that I see is that we _already_ see techniques in the wild
where people have broken the architecture, and are charging ahead and
doing their thing.  We can try to say, "This is too far," but we'll be
right back where we were with NAT many years ago.  Once we started
split-brain DNS, we were just doomed to the eventual state of affairs
where the exact same question asked of servers in different networks
would give different answers.  We can't change the past. 

> Indeed, that's precisely the problem.    How did the WG go so far down this path without significant pushback, or without the architectural question being raised and discussed in a wider or more appropriate forum?  Why was this decision not subject to extensive review, not just within DNS WGs but also cross-area review, long before the MIF WG made its decision?

Actually, the DNS Directorate has been paying active attention to this
work, and part of the reason I did the review I did was precisely
because of that interest.  The problem we DNS weenies have is that we
know it's a horrible disastrous mess, but people are _doing it
anyway_, and the only option left to us now is to try to contain
damage.  I hate DNS64.  I hate this server selection stuff, too.  But
no matter how much I shout at the tide, still it comes in.  Better
that I should try to help build the dike.



-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email