Re: [mif] Last Call for MIF DNS server selection document

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

> doomed to the eventual state of affairs
> where the exact same question asked of servers in different networks
> would give different answers.  We can't change the past. 

As long as the reply for a given query is always NXDOMAIN
*except* for the one name server serving the particular offshoot
of the namespace that the location-dependent domain is in,
we have not broken the uniqueness of the namespace.

Hence the suggestion in my previous message, quoted here for
the benefit of the IESG that someone added in CC:

"I guess I would like to see some MUSTs or MUST NOTs in the MIF
draft or elsewhere that make it clear that any domains that
are not globally resolvable must nevertheless be globally
unique. That needs to be expressed a bit more precisely
and there might have to be an exception for .local. However,
if a host can see a DNS server from example.com, a rule could
be: that server MUST NOT resolve any domains that are not
globally resolvable and are not subdomains of example.com."

Regards
   Brian Carpenter

On 2011-09-10 11:01, Andrew Sullivan wrote:
> On Fri, Sep 09, 2011 at 05:29:20PM -0400, Keith Moore wrote:
>> Selecting a name server is one thing.  Standardizing a behavior that
>> assumes that DNS name servers are specific to networks, is something
>> else entirely.  It's a violation of the DNS architecture, which
>> clearly assumes that DNS queries are location-independent.
>> (Otherwise, it would not allow caching of query results without some
>> awareness of the scope in which they are valid.)
> 
> First, I fully agree with this.  At the same time, in point of fact we
> walked off the cliff some time ago.
> 
>> I realize that this is a slippery slope that IETF and the Internet
>> have been sliding down for many years, given two-faced DNS,
>> SiteFinder and other criminal acts, DNS interception proxies imposed
>> by ISPs, certain dubious uses of LLMNR, DNS64, and several other
>> things that break the architecture.  DNS is almost as polluted these
>> days as IPv4 is.  But at some point it goes too far.
> 
> The problem that I see is that we _already_ see techniques in the wild
> where people have broken the architecture, and are charging ahead and
> doing their thing.  We can try to say, "This is too far," but we'll be
> right back where we were with NAT many years ago.  Once we started
> split-brain DNS, we were just doomed to the eventual state of affairs
> where the exact same question asked of servers in different networks
> would give different answers.  We can't change the past. 
> 
>> Indeed, that's precisely the problem.    How did the WG go so far down this path without significant pushback, or without the architectural question being raised and discussed in a wider or more appropriate forum?  Why was this decision not subject to extensive review, not just within DNS WGs but also cross-area review, long before the MIF WG made its decision?
> 
> Actually, the DNS Directorate has been paying active attention to this
> work, and part of the reason I did the review I did was precisely
> because of that interest.  The problem we DNS weenies have is that we
> know it's a horrible disastrous mess, but people are _doing it
> anyway_, and the only option left to us now is to try to contain
> damage.  I hate DNS64.  I hate this server selection stuff, too.  But
> no matter how much I shout at the tide, still it comes in.  Better
> that I should try to help build the dike.
> 
> 
>