On Apr 20, 2015, at 6:43 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > IMHO, the text can NOT be published with its definition of Forwarder. > > The definition of Forwarder is still both confused and > self-contradictory.
Yes. There are differences between the explicit definition for DNS forwarder in RFC 2308 and the strongly implied definition in RFC 5625. The WG needs to decide which definition it prefers, and an explanation of why (because both definitions exist). For comparison: RFC 2308: "FORWARDER" - a nameserver used to resolve queries instead of directly using the authoritative nameserver chain. The forwarder typically either has better access to the internet, or maintains a bigger cache which may be shared amongst many resolvers. How a server is identified as a FORWARDER, or knows it is a FORWARDER is outside the scope of this document. However if you are being used as a forwarder the query will have the recursion desired flag set. RFC 5625: These proxies are usually simple DNS forwarders, but typically do not have any caching capabilities. The proxy serves as a convenient default DNS resolver for clients on the LAN, but relies on an upstream resolver (e.g., at an ISP) to perform recursive DNS lookups. > For instance, the current text says that the > forwarder "sends on the resulting query (usually to a recursive > resolver)" and later that "The forwarder typically either has better > access to the internet, or maintains a bigger cache which may be > shared amongst many resolvers" If it has a better access, why does it > send to another recursive resolver? It really seems the current > definition mixes the downstream forwarder and the upstream resolver. The definition in the draft includes ideas from RFC 5625, which seems to be the much more common definition of "forwarder" used today. However, the WG is free to define this however they want. > My proposal: > > Forwarder -- A DNS resolver that receives a DNS query from another > resolver, sends it (usually to authoritative name servers), and > returns the resulting response to the source of the query. Section 1 > of [RFC2308] describes a forwarder as "a nameserver used to resolve > queries instead of directly using the authoritative nameserver chain". > [RFC2308] further says "The forwarder typically either has better > access to the internet, or maintains a bigger cache which may be > shared amongst many resolvers." My proposal goes the other way: to use the more common definition of a forwarder being what we see in gazillions of SOHO devices. > I also suggest to delete the entry "Open forwarder" which has the same > issues. I agree with deleting "Open forwarded", but for different reasons: the term doesn't appear in any RFC to date, so it isn't needed. > Other remarks which are not, in my opinion, blocking for the > publication: > >> Public suffix > > Two small text additions. 1) cite "DNS Administrative Boundaries > Problem Statement" draft-sullivan-dbound-problem-statement 2) "Note > there is zero indication, in the domaine name, that it is a public > suffix or not. It can only be learned from outside means." For #1, Citing a draft could cause delay in publication of this RFC, but we can instead point to the WG and say work is underway now. I like the addition in #2. >> Non-consensual policy-implementing resolver [...] The difference >> between this and a consensual policy- implementing resolver is that >> users of this resolver are not expected to know that there is a >> policy to change the answers it returns. > > Dangerous legal and political issues here. If Joe Sysadmin configures > the DHCP server to tell the users' machines to use 192.0.2.53 and this > resolver rewrites answers, can we honestly say that the users "are > expected to know"? Technically, there is no difference between > Consensual policy-implementing resolver and Non-consensual > policy-implementing resolver and I would merge the definitions. Please propose specific wording for the merge so the WG can see if they like it better. >> Passive DNS -- A mechanism to collect large amounts of DNS data by >> storing queries and responses from recursive servers. > > Most passive DNS servcies collect only the responses, which is good > for privacy. Some passive DNS services collect the query too. Given the privacy issue you mention, we should make people aware of that. --Paul Hoffman _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
