Re: [mif] Last Call for MIF DNS server selection document

[Keith Moore <moore@network-heretics.com>]

On Sep 9, 2011, at 7:01 PM, Andrew Sullivan wrote:

> On Fri, Sep 09, 2011 at 05:29:20PM -0400, Keith Moore wrote:
>> 
>> Selecting a name server is one thing.  Standardizing a behavior that
>> assumes that DNS name servers are specific to networks, is something
>> else entirely.  It's a violation of the DNS architecture, which
>> clearly assumes that DNS queries are location-independent.
>> (Otherwise, it would not allow caching of query results without some
>> awareness of the scope in which they are valid.)
> 
> First, I fully agree with this.  At the same time, in point of fact we
> walked off the cliff some time ago.

Who's this "we" of which you speak? :)

>> I realize that this is a slippery slope that IETF and the Internet
>> have been sliding down for many years, given two-faced DNS,
>> SiteFinder and other criminal acts, DNS interception proxies imposed
>> by ISPs, certain dubious uses of LLMNR, DNS64, and several other
>> things that break the architecture.  DNS is almost as polluted these
>> days as IPv4 is.  But at some point it goes too far.
> 
> The problem that I see is that we _already_ see techniques in the wild
> where people have broken the architecture, and are charging ahead and
> doing their thing.  We can try to say, "This is too far," but we'll be
> right back where we were with NAT many years ago.  Once we started
> split-brain DNS, we were just doomed to the eventual state of affairs
> where the exact same question asked of servers in different networks
> would give different answers.  We can't change the past. 
> 
>> Indeed, that's precisely the problem.    How did the WG go so far down this path without significant pushback, or without the architectural question being raised and discussed in a wider or more appropriate forum?  Why was this decision not subject to extensive review, not just within DNS WGs but also cross-area review, long before the MIF WG made its decision?
> 
> Actually, the DNS Directorate has been paying active attention to this
> work, and part of the reason I did the review I did was precisely
> because of that interest.  The problem we DNS weenies have is that we
> know it's a horrible disastrous mess, but people are _doing it
> anyway_, and the only option left to us now is to try to contain
> damage.  I hate DNS64.  I hate this server selection stuff, too.  But
> no matter how much I shout at the tide, still it comes in.  Better
> that I should try to help build the dike.

People often do things that violate the standards.  That doesn't mean that IETF should endorse such practices.   Nor does it mean that IETF should ignore them.

Sometimes when people do things that violate the standards, it's a sign of a deficiency in the architecture that should be remedied.  And sometimes it means that they're just being shortsighted and what IETF needs to do is to say "here's why this is a Bad Idea".

Keith