Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document

Mark Andrews <marka@isc.org> Sun, 23 October 2011 23:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F1E21F8B5A; Sun, 23 Oct 2011 16:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kB8Yn68lZHkv; Sun, 23 Oct 2011 16:49:45 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 3D48521F8B2B; Sun, 23 Oct 2011 16:49:45 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 7EEAD5F984C; Sun, 23 Oct 2011 23:49:29 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:6233:4bff:fe01:7585]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 39EDD216C6A; Sun, 23 Oct 2011 23:49:27 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 6E1D915C005F; Mon, 24 Oct 2011 10:49:21 +1100 (EST)
To: Matthew Pounsett <matt@conundrum.com>
From: Mark Andrews <marka@isc.org>
References: <COL118-W55403198A984BAAE44BA47B1F70@phx.gbl> <916CE6CF87173740BC8A2CE44309696203782D75@008-AM1MPN1-037.mgdnok.nokia.com> <121DABD1-65E8-4275-8471-9FA38D25C434@nominet.org.uk> <916CE6CF87173740BC8A2CE44309696203783EE0@008-AM1MPN1-037.mgdnok.nokia.com> <4EA09791.8010705@gmail.com> <C8398996-79B5-437E-82A5-6B869ECF8F4E@network-heretics.com> <94C2E518-F34F-49E4-B15C-2CCCFAA96667@virtualized.org> <12477381-9F74-4C50-B576-47EE4322F6BC@network-heretics.com> <CAH1iCiqsN-R87VK3vKityPsY+NXA=0DRASYf_vmBSy8gvYwHdQ@mail.gmail.com> <916CE6CF87173740BC8A2CE44309696203784B27@008-AM1MPN1-037.mgdnok.nokia.com> <708F3212-3C9C-4B61-AA77-EFA8F1CA5B04@nominum.com> <30B1AE01-0A35-48D2-91AF-46FC8B60466C@network-heretics.com> <4EA30EB0.6080605@dougbarton.us> <F2045A70-6314-41CF-AC3C-01F1F1ECF84C@network-heretics.com> <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com>
In-reply-to: Your message of "Sun, 23 Oct 2011 02:39:23 EDT." <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com>
Date: Mon, 24 Oct 2011 10:49:21 +1100
Message-Id: <20111023234921.6E1D915C005F@drugs.dv.isc.org>
X-Mailman-Approved-At: Sun, 23 Oct 2011 17:09:09 -0700
Cc: "<mif@ietf.org>" <mif@ietf.org>, Keith Moore <moore@network-heretics.com>, "<dnsop@ietf.org>" <dnsop@ietf.org>, "<dnsext@ietf.org>" <dnsext@ietf.org>, "<pk@isoc.de>" <pk@isoc.de>, "<dhcwg@ietf.org>" <dhcwg@ietf.org>, "<denghui02@hotmail.com>" <denghui02@hotmail.com>
Subject: Re: [mif] [DNSOP] [dnsext] 2nd Last Call for MIF DNS server selection document
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2011 23:49:46 -0000

In message <96472FB7-8425-4928-8F55-2ABF2CB59A93@conundrum.com>, Matthew Pounse
tt writes:
> 
> On 2011/10/22, at 15:21, Keith Moore wrote:
> 
> > 
> > On Oct 22, 2011, at 2:42 PM, Doug Barton wrote:
> > 
> >> 1. I think we're all in agreement that dot-terminated names (e.g.,
> >> example.) should not be subject to search lists. I personally don't have
> >> any problems with any document mentioning that this is the expected
> >> behavior.
> > 
> > agree.  however there are standard protocols for which a trailing dot in a 
> domain name is a syntax error.
> 
> Any protocol that makes a standard FQDN a syntax error is itself in error.  N
> ot to say that these don't exist, but if people are writing protocols that ca
> n't deal with a properly formatted FQDN they need to stop.  Now.

Except it isn't a standard hostname.  Periods *seperate* labels in
hostnames RFC 952.  They DO NOT appear at the end of hostnames.

Appending a period to the end of a name is user interface hack to
prevent searching.  If is also a way to prevent the appending of
the current origin to all names in a DNS master file as the current
origin is always appended if it isn't done.

In addition single labels are not HEIRACHICAL / DOMAIN STYLE names
as envisioned when we went from a flat namespace of simple hostnames
to a heirarchical namespace.

	foo.bar is a heirachical hostname.
	bar is a simple hostname.

Why are we trying to bring them back on a global context?

> > Strongly disagree.  That would leave users without a protocol-independent w
> ay of unambiguously specifying "this is a fully-qualified domain name".
> > 
> > The practice of applying search lists to names with "."s in them needs to d
> ie.
> 
> I can't agree with this statement.  As others have said, the practice of usin
> g a search list to allow 'ssh foo.bar' to reach 'foo.bar.example.com' isn't g
> oing anywhere, and there are a lot of people that make extensive use of the c
> onvenience.  Ask any security professional about how easy it is to compete wi
> th convenient access.
> 
> I think we need to accept that this practice is here to stay, and figure out 
> how to deal with it on those terms.

People deal with all sorts of changes.  Point out the obvious
security flaws, make enough fuss, vendors have to ship with this
behaviour gone/disabled.  People stop worrying about it.

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org