Thank you for your thorough review, Dave. Changes will be made in an upcoming –04 revision. Some more specific comments can be found inline below.
Thanks! JL PS – I have at least one other email from you in my queue for this I-D – I've not forgotten about it. :-) On 4/29/11 7:32 PM, "Dave CROCKER" <d...@dcrocker.net<mailto:d...@dcrocker.net>> wrote: Review: Title: IPv6 AAAA DNS Whitelisting Implications I-D: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03 By: D. Crocker <dcroc...@bbiw.net<mailto:dcroc...@bbiw.net>> Date: 29 April 2011 Summary: This draft is a discussion of a technique for resolving a dual-stack problem between IPv4 and IPv6, through the use of special DNS records. The document appears to continue a recent use of the term 'whitelisting' that strongly conflicts with long-standing use of the term by the anti-abuse community. The document needs to do a more careful job of introducing the problem it is solving and the explaining the way the 'whitelisting' mechanism works. I also very strongly encourage finding a different term. [JL] There's been a great deal of discussion on the mailing list about this. While it appears the consensus is to leave it as-is, your point is well noted and I have listed this in the Open Items list of the –04 draft and will be consulting with the WG chairs for direction on the matter. d/ Abstract The objective of this document is to describe what the whitelisting of DNS AAAA resource records is, hereafter referred to as DNS RRs are whitelisted? Isn't it the addresses and not the records that are whitelisted? Does this mean putting whitelisting records into the DNS or does it mean something else? [JL] You are quite correct. Another reviewer also noted my error in this sentence and it is corrected in the –04 version. Comcast's own considerable expertise notwithstanding, has this doc been vetted with a range of organizations that actually DO whitelisting? [JL] Folks from organizations that perform or are considering IPv6 DNS whitelisting have provided feedback on the draft, which has been incorporated into previous versions. Additional feedback has been shared which will be in the –04 revision. Has it been circulated through MAAWG and APWG? Any comments from Spamhaus? The Acknowledgements list does not seem to indicate a range of whitelist ops folks whose names I know. (But then, I only know a few...) [JL] It has not specifically been sent to groups like MAAWG, as I think this form of DNS server-related whitelisting is different from mail server whitelisting. I can certainly do so, but I'm not sure those groups will be interested as it is not particularly anti-abuse related. whitelisting, as well as the implications of this emerging practice and what alternatives may exist. The audience for this document is the Internet community generally, including the IETF and IPv6 implementers. I suspect that product marketers won't have much interest in this. I suspect that the target for this is anti-abuse technical and operations staff. [JL] You are doing a good job illustrating the confusion over the use of the term 'whitelisting'. ;-) The target is actually not A/A tech and ops personnel, since the draft is specifically related to the IPv6 transition and not A/A or even messaging. <snip> 1. Introduction This document describes the emerging practice of whitelisting of DNS AAAA resource records (RRs), which contain IPv6 addresses, hereafter referred to as DNS whitelisting. The document explores the implications of this emerging practice are and what alternatives may exist. The practice of DNS whitelisting appears to have first been used by major web content sites (sometimes described herein as "highly- Really? Not for email first? [JL] You now get a +2 for further illustrating the potential for confusion over the terms. ;-) But I'm referring specifically to this (which is how the updated –04 text reads): "whitelisting of DNS recursive resolvers in order to limit AAAA resource records responses" trafficked domains" or "major domains"). These web site operators, or domain operators, observed that when they added AAAA resource records to their authoritative DNS servers in order to support IPv6 Oh. You mean /IPv6/ whitelisting. access to their content that a small fraction of end users had slow or otherwise impaired access to a given web site with both AAAA and A resource records. The fraction of users with such impaired access has been estimated to be roughly 0.078% of total Internet users [IETF-77-DNSOP] [NW-Article-DNSOP] [Evaluating IPv6 Adoption] [IPv6 Brokenness]. Thus, in an example Internet Service Provider (ISP) network of 10 million users, approximately 7,800 of those users may experience such impaired access. At a minimum, these sorts of statistics need to be normalized across IPv6 users/traffic, given how small a percentage that is in total users and total traffice. If that's what is meant it should be stated. If it isn't, the statistic should be recalculated. [JL] Not sure what you mean… I'm simply citing a statistic shared by a major website, which appears to be based on a very large set of users from around the world (from many networks). I agree it is a small percentage (and it appears to be shrinking — to be confirmed on World IPv6 Day). One of the reactions to the practice is often that it is a lot to go through for such a small percentage of users. Of course, it is now also apparent that the –03 did not adequately summarize all of the motivations for the practice and so the –04 update will list some additional ones relating to the desire to incrementally add IPv6 traffic, gradually mature IPv6 routes and operational procedures, etc. So it is my hope that a fuller picture of the motivations will emerge in the –04 update. As a result of this impairment affecting end users of a given domain, a few major domains have either implemented DNS whitelisting or are considering doing so [NW-Article-DNS-WL] [IPv6 Whitelist Operations]. How or why does whitelisting affect slow performance for these folk? [JL] If an end user has an IPv6-related impairment, they may only have an IPv4 address but the mere fact of seeing a AAAA RR response will cause them to have no access or very slow access (waiting through various client timeouts, which most users will not do) to the FQDN that had a AAAA RR. So in such cases, whitelisting is used so that these impaired users never see the AAAA RR in the response. When implemented, DNS whitelisting in practice means that a domain's authoritative DNS will return a AAAA resource record to DNS recursive resolvers [RFC1035] on the whitelist, while returning no AAAA resource records to DNS resolvers which are not on the whitelist. It Oh. The whitelisting is for resolving a conflict between AAAA and A record choices? Normally, the term 'whitelisting' is used to refer to bypass anti-abuse mechanisms. This appears to be for something else and it seems odd to call it whitelisting. [JL] You are now up to a +3 on illustrating this point. ;-) I'm going to stop counting now, because you are getting too good it it. In all seriousness, I have recorded this as one of the main open issues to be sorted out on the draft with the WG chairs. (And as you know I'm quite familiar with it's usage in the email area.) :-) Note the more typical use of the term: <http://www.dnswl.org/> <http://en.wikipedia.org/wiki/DNSBL> <http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_USING_DNS_whitelists_OVER.html> It appears that some v6 folks have chosen to co-opt a distinctive and very well established anti-abuse term for an entirely different purpose. [JL] BTW, don't shoot the messenger! ;-) I'm just documenting what's the current term being used. is important to note that these major domains are motivated by a desire to maintain a high-quality user experience for all of their users. By engaging in DNS whitelisting, they are attempting to shield users with impaired access from the symptoms of those impairments. Critics of the practice of DNS whitelisting have articulated several concerns. Among these are that: o DNS whitelisting is a very different behavior from the current practice concerning the publishing of IPv4 address resource records, o that it may create a two-tiered Internet, o that policies concerning whitelisting and de-whitelisting are opaque, Livingood Expires August 26, 2011 [Page 5] Internet-Draft IPv6 AAAA DNS Whitelisting Implications February 2011 o that DNS whitelisting reduces interest in the deployment of IPv6, Well, it certainly suggests that there is a problem handling v4/v6 in dual stack environments cleanly. And it certainly seems that dealing with the underlying problem would be better. Beyond that, this appears to be a hack that is useful but not scalable. [JL] I believe even the implementers agree with you there. I think it was Vint to may have called this useful "temporary scaffolding" but conceded that it really doesn't scale over the long-term. o that new operational and management burdens are created, well, yeah... o and that the costs and negative implications of DNS whitelisting outweigh the perceived benefits, compared to fixing underlying impairments. This document explores the reasons and motivations for DNS whitelisting. It also explores the outlined concerns regarding this practice. Readers will hopefully better understand what DNS whitelisting is, why some parties are implementing it, and what criticisms of the practice exist. -- Dave Crocker Brandenburg InternetWorking bbiw.net
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf