Anytime you discover that the facts asserted and relied on for a document are false, or the sources of those facts and assurances discredited, that's a "new" fact. A good example was the discovery in TLS-AUTHZ that the assurances made by the document authors that patents were disclosed according to RFC3979 was false. In the TLS-AUTHZ case, the discovery of false facts justified the removal of IESG approval.
In this case, it was asserted that there was a serious problem with open recursors being used in attacks. That asserted fact was the motivation for this document. However, in the time since the first two attacks, we have seen no evidence of any further attacks, and the two small motivating attacks now seem in retrospect to be contrived for this document. The motivating attacks were first reported on NANOG, which has previously made false statements deceiving the public and network operators, and is therefore not a reliable source. See http://www.iadl.org/nanog/nanog-story.html Requests for substantiation and evidence of the claims of serious attacks have not been affirmatively answered in two years. No direct or indirect evidence for further, serious attacks has been produced at all. Analysis also shows an alternative DNS attack that requires less effort from the attacker, does not expose the attacker to discovery, and is much harder to mitigate and more damaging. There is no reason anyone considering using DNS as an attack vector would use open recursors. Analysis also shows that an attack using open recurors is easy to mitigate. The above are significant contrary facts that undermine the original consensus (if there even was one, next) On the point of consensus, I do not see that a WGLC succeeded for this document. A last call held in November 2006 resulted in most people being against this document. The last message with "WGLC" and "evil" in the subject line was on November 21, 2006, extending date of the WGLC. After the extension, there are several new versions, but no WG last call. I'm not entirely sure why this document is in the state 'IESG Evaluation' or how it got to state "Publication Requested" by Ron Bonica given the Working Group record and the objections raised. According to Section 7.5 of RFC2418, a rough consensus must exist before such a request for publication is made by the WG chair(s) to the Area director. It should also be noted that strong disapproval was voice in the 2006 WGLC. The strong disapproval was based, in part, on the lack of credible evidence supporting the need for this document. Two years later, lack of evidence of real attacks is still a problem. There is no widespread ISP support for, or call for, this document. I strongly disapprove this document, object to the submarined approval process, and will appeal this document to the limit of the appeals process. --Dean On Sat, 6 Sep 2008, Peter Koch wrote: > On Mon, Sep 01, 2008 at 10:45:02AM -0700, [EMAIL PROTECTED] wrote: > > > Title : Preventing Use of Recursive Nameservers in Reflector > > Attacks > > Author(s) : J. Damas, F. Neves > > Filename : draft-ietf-dnsop-reflectors-are-evil-06.txt > > Pages : 8 > > Date : 2008-09-01 > > this draft is in the "IESG Evaluation" state. > The purpose of this update was to address the issues raised in the last > remaining > DISCUSS during IESG review (as mentioned during the DNSOP session in Dublin). > You can visit the changes (non-editorial only affecting the security > considerations section) through the tools site: > <http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reflectors-are-evil/> > Editors, AD and shepherd (me) judged these changes to be minor enough and > non controversial not to require another WG round. > The draft will be approved as soon as the DISCUSS will have been released. > > To clarify, there's nothing that would suggest against the chairs' judgement > of WG consensus being maintained. That said, any further discussion of > whether or not the draft should have been worked on is probably > counterproductive > and consuming energy better spent on other current topics. > As any document, this document can be revisited at a later stage with time > passed and new facts on the table. > I'd not consider the perceived absence of facts establishing a "new fact". > > -Peter [wearing a chair's hat] > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
