Re: [v6ops] draft-livingood-dns-whitelisting-implications-01 - IPv6 AAAA DNS Whitelisting Implications

["Livingood, Jason" <Jason_Livingood@cable.comcast.com>]

Hi Frank - Replies inline below and cc'ing the v6ops list since this is now a WG I-D. The changes you have suggested below will be made shortly in a -01 update of this draft.

Thanks for your feedback!
- Jason


On 11/8/10 12:05 AM, "Frank Bulk - iName.com" <frnkblk@iname.com<mailto:frnkblk@iname.com>> wrote:

Jason:

I’d like to suggest a few things for consideration: is the 0.078% that don’t have a good IPv6 experience any worse than those that don’t have a good IPv4 experience because MTU issues, asymmetric routing, transparent caching, firewalls, etc.  I don’t think the DNS whitelist advocates have made a convincing case that the “IPv6 poorness” is any worse than the IPv4 poorness that already exists out there.  They’re just not measuring it, and it’s only because IPv6 is new that its getting a lot of scrutiny.

[JL] That seems a fair point, so I have added the following text to Section 3:
While in <xref target ='Introduction'/> the level of IPv6-related impairment has been estimated to be as high as 0.078% of Internet users, which is a primary motivation cited for the practice of DNS whitelisting, it is not clear if the level of IPv4-related impairment is more or less that this percentage (which in any case is likely to have declined since its original citation). Indeed, as at least one document reviewer has pointed out, it may simply be that websites are only measuring IPv6 impairments and not IPv4 impairments, whether because IPv6 is new or whether those websites are simply unable to or are otherwise not in a position to be able to measure IPv4 impairment (since this could result in no Internet access whatsoever). As a result, it is worth considering that IPv4-related impairment could exceed that of IPv6-related impairment and that such IPv4-related impairment may have simply been accepted as "background noise" on the Internet for a variety of reasons.

Re: 5.1.  Deploying DNS Whitelisting Universally: these whitelists could be considered similar to DNSBLs for spam control where operators choose which one(s) to subscribe to, and it’s maintained by a reputable third-party.  It could also be similar to Cymrus’s BGP-based BOGON feed.

[JL] Good point. I've added the following to Section 5:
In either of these likely deployment scenarios below, it is possible that reputable third parties could create and maintain these DNS whitelists, in much the same way that blacklists are used for reducing email spam. In this email example, a mail operator subscribes to one or more of these lists and as such the operational processes for additions and deletions to the list are managed by a third party. Thus, a similar model could emerge for DNS whitelisting, whether deployment occurs universally or on an ad hoc basis.

Re: 7.2 7.2.  Public IPv6 Address Reachability Implications: It may be worth mentioning that once DNS whitelist s are in place as part of “how we do IPv6”, we’re setting the stage for how our Internet will look in the future.  Once in place it’s very difficult to retract due to the rough equivalent of Newton’s first law – a body in motion stays in motion.”  How many DNS servers have aged BOGON lists, even though the RIRs have allocated the prefixes years ago?  How many e-mail servers are still querying *long* deprecated DNSBLs?  If whitelists gain popularity a lot of content will end up being unreachable by IPv6 if the lists aren’t maintained.  I would advocate that any DNS server that supports DNS whitelisting have coded in an end date (say 12/31/2012), which after that date the whitelisting mechanism is disabled.  That way non-maintained DNS servers (and presumably whitelists) wouldn’t forever be a problem in the future.  The end date could move out for new code revs of the DNS software, but at least the installation of new DNS server version presumes that someone is actively maintaining it.

[JL] Another fine point. I have added this to Section 7.2:
In addition, establishing DNS whitelisting as an accepted practice in the early phases of mass IPv6 deployment could well establish DNS whitelisting as an integral part of how IPv6 is deployed globally. As a result, it is then possible that DNS whitelisting could live on for decades on the Internet as a key foundational element of the Internet of the future that we will all live with for a long time.

[JL] Also, I have actually created a new section in 7.3 for this as follows:
Implications of Operational Momentum
It seems plausible that once DNS whitelisting is implemented it will be very difficult to deprecate such technical and operational practices. This assumption is based in an understanding of human nature, not to mention physics. For example, as Sir Issac Newton noted, "Every object in a state of uniform motion tends to remain in that state of motion unless an external force is applied to it" <xref target="Newton's Laws of Motion"/>. Thus, once DNS whitelisting is implemented it is quite likely that it would take considerable effort to deprecate the practice and remove it everywhere on the Internet - it will otherwise simply remain in place in perpetuity. To better illustrate this point, one could consider in one example (of many) that here are likely many email servers continuing to attempt to query or otherwise check anti-spam DNS blocklists which have long ago ceased to exist.


Thanks again!!
Jason

Regards,

Frank