Re: [mif] Last Call for MIF DNS server selection document

Keith Moore <moore@network-heretics.com> Sat, 10 September 2011 02:08 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F5E011E8073; Fri, 9 Sep 2011 19:08:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.471
X-Spam-Level:
X-Spam-Status: No, score=-3.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib-AhOWRJZhz; Fri, 9 Sep 2011 19:08:39 -0700 (PDT)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by ietfa.amsl.com (Postfix) with ESMTP id BE46F21F852C; Fri, 9 Sep 2011 19:08:39 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 2790C29B2C; Fri, 9 Sep 2011 22:10:36 -0400 (EDT)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute3.internal (MEProxy); Fri, 09 Sep 2011 22:10:36 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id :references:to; s=smtpout; bh=MASg95tQj6lgBwwiYNLtjkgFd/I=; b=k9 eGZ5CQoX0kXlKaQZB+99z/kXOnsRVmdVKZEbVgyuqo0HZ5gofafjYqDIQOnD2gbY P985TbzKWHnbqxkztPieM6wH8VDBSIz5jqJc8lui3mXB57nYb89lVQJebh3TRJZA laryRzs6bsIJDM/0ZsxvYRBahFVVfnFS3AOJCdNcY=
X-Sasl-enc: g6n8vxa30vKQIsvBaAu/YOy1UyylP0D3ie28LEp3rsqt 1315620635
Received: from host65-16-145-177.birch.net (host65-16-145-177.birch.net [65.16.145.177]) by mail.messagingengine.com (Postfix) with ESMTPA id 13825B409BA; Fri, 9 Sep 2011 22:10:34 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <4E6AC439.5060100@gmail.com>
Date: Fri, 09 Sep 2011 22:10:23 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <78069B79-CA66-40C2-B63D-7CFE60749EBF@network-heretics.com>
References: <COL118-W599D9E8760C3E370077FC3B1140@phx.gbl> <4E683F9B.7020905@gmail.com> <916CE6CF87173740BC8A2CE4430969620256F33F@008-AM1MPN1-032.mgdnok.nokia.com> <4E692D62.5080902@gmail.com> <BFFE3312-4DE3-432D-8DC7-20987AB3E34A@network-heretics.com> <916CE6CF87173740BC8A2CE443096962025704BA@008-AM1MPN1-032.mgdnok.nokia.com> <0A7B9663-0C40-4D19-BDBE-7EB72430D47D@network-heretics.com> <20110909230115.GG46494@shinkuro.com> <4E6AA248.6000406@gmail.com> <4D854606-64C6-4F7F-81A1-B15F1054E8BE@network-heretics.com> <4E6AC439.5060100@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: mif@ietf.org, iesg@ietf.org
Subject: Re: [mif] Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2011 02:08:45 -0000

On Sep 9, 2011, at 9:58 PM, Brian E Carpenter wrote:

> On 2011-09-10 12:03, Keith Moore wrote:
>> On Sep 9, 2011, at 7:33 PM, Brian E Carpenter wrote:
>> 
>>>> doomed to the eventual state of affairs
>>>> where the exact same question asked of servers in different networks
>>>> would give different answers.  We can't change the past. 
>>> As long as the reply for a given query is always NXDOMAIN
>>> *except* for the one name server serving the particular offshoot
>>> of the namespace that the location-dependent domain is in,
>>> we have not broken the uniqueness of the namespace.
>> 
>> Actually, I disagree.  NXDOMAIN means "this domain does not exist".     Applications should be able to rely on that.
> 
> Well, that's the point: they can't. As far as I can see, ever since
> the first deployment of split DNS, you have to qualify that
> meaning with "as far as I know."

People who deploy split DNS need to understand that the consequence of doing so is that if some application just happens to query the "wrong" server, or the "wrong" side of the server, that it's going to get an NXDOMAIN error, and that application is going to (quite properly) report that the domain does not exist - even if that domain does exist, and even if that application happens to have access to a network that lets it query the "right" server.

The notion that the network tells the host what DNS server to use (via DHCP or whatever means), and that the host should do what the network tells it to do, has always been suspect.  The existence of multiple active interfaces on hosts just makes the problem more obvious.

Keith