Re: [DNSOP] [Dailydave] DNS Poisoning via Port Exhaustion (fwd)

[Masataka Ohta]

Paul Wouters;

I think the following ID solves the problem.

http://www.ietf.org/id/draft-ohta-practically-secure-dns-00.txt

Masataka Ohta
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Keith Moore]

On Oct 24, 2011, at 2:08 AM, sth...@nethelp.no wrote:

>>> I can't agree with this statement.  As others have said, the practice of 
>>> using a search list to allow 'ssh foo.bar' to reach 'foo.bar.example.com' 
>>> isn't going anywhere, and there are a lot of people that make extensive use 
>>> of the convenience.
>> 
>> It needs to die because it's fundamentally broken.   Vanity TLDs will only 
>> make it worse.   I understand that there are sites that use it and people 
>> who are accustomed to it.   I don't pretend that we can stop them.   We can, 
>> however, explain the negative consequences of doing this (some of which 
>> might be specific to systems with multiple interfaces), and recommend that 
>> they transition away from that practice.   And recommendations for systems 
>> with multiple interfaces can be chosen in such a way as to allow search 
>> lists to break even more.
> 
> I routinely use short names (and thus search lists) in my work. I am
> aware of vanity domains, and of RFC 1535. Have I stopped using short
> names and search lists? No, the convenience is just too great.
> 
> In trying to stop the use of short names and search lists I believe
> you're trying to fight human nature. It's a waste of time, and unlikely
> to be productive.

Just to be clear, I'm not trying to forbid the use of search lists with "bare" 
(single-label) names.   I'm just pointing out that for the vast majority of the 
contexts in which domain names are used, the expectation is that a domain name 
that contains a "." is fully-qualified.  The need for domain names to behave 
consistently from one host to another and one application to another is much, 
much more important, than the need to apply search lists to queries of domain 
names that contain "."s.   

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Alex Bligh]

--On 24 October 2011 06:53:05 -0400 Keith Moore 
 wrote:



I'm just pointing out that for the vast majority of the contexts in which
domain names are used, the expectation is that a domain name that
contains a "." is fully-qualified.


This is sampling bias.

In the vast majority of contexts where domain names (term used
loosely) are used, those domain names contain at least one dot.

In the vast majority of contexts where domain names (term used
loosely) are used, those domain names are fully qualified.

It is therefore statistically unsurprising that in the vast
majority of contexts where domain with a dot in them, are used
they are fully qualified.

The question here should be "where search lists are used, are
they frequently used in combination with domain names that
are not fully qualified". I would suggest the answer to this
question is "yes". If so, then to the extent that search lists
are supported, you need to make them interwork names with
dots in them. Moreover, with a search list of "example.com",
having "mail" work, but not "mail.dev" is going to be a
pretty surprising outcome.

I think the two options are either deprecating search lists
(or not supporting them), or supporting them properly, in
which case they must be used whatever domain name is
specified, and the way to avoid using a search list
is the same old hack as before (i.e. putting a dot on the
end).

--
Alex Bligh
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Alex Bligh]

--On 22 October 2011 19:41:58 + Ted Lemon  wrote:


Yes.   But if a bare name is used, a bogus search list can also bypass
DNSSEC validation.


For the hard of understanding, please could you expand on this?

Doesn't the client know the full name being looked up, even with a search
list?

--
Alex Bligh
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Keith Moore]

On Oct 24, 2011, at 7:19 AM, Alex Bligh wrote:

> --On 24 October 2011 06:53:05 -0400 Keith Moore  
> wrote:
> 
>> I'm just pointing out that for the vast majority of the contexts in which
>> domain names are used, the expectation is that a domain name that
>> contains a "." is fully-qualified.
> 
> This is sampling bias.

No, I don't think so.  The vast majority of contexts where domain names are 
used, are contexts in which the domain is supplied by one party and (at least 
potentially) used by another party.  Email addresses, URLs, domain names 
written on advertisements and business cards, etc.  

> The question here should be "where search lists are used, are
> they frequently used in combination with domain names that
> are not fully qualified". I would suggest the answer to this
> question is "yes".

That's not a useful way to phrase the question, because there's no way for 
software to know whether or not the user intends that a name containing "." is 
fully-qualified.

> If so, then to the extent that search lists
> are supported, you need to make them interwork names with
> dots in them. Moreover, with a search list of "example.com",
> having "mail" work, but not "mail.dev" is going to be a
> pretty surprising outcome.

It will be surprising to that relatively small portion of users that relies on 
search lists being applied to multi-label names.   But overall, having a clear, 
visible distinction between names for which searching is potentially applied 
(i.e. bare or single-label names), and names for which searching is not applied 
(multi-label names) results in less surprising behavior for everyone.

> I think the two options are either deprecating search lists
> (or not supporting them), or supporting them properly, in
> which case they must be used whatever domain name is
> specified, and the way to avoid using a search list
> is the same old hack as before (i.e. putting a dot on the
> end).

Supporting search lists "properly" is NOT using them whenever a domain name is 
specified.  That makes all domain names context-sensitive, and breaks every 
application that uses domain names supplied by other parties or in other 
contexts.

Keith

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Alex Bligh]

--On 24 October 2011 07:29:55 -0400 Keith Moore 
 wrote:




I'm just pointing out that for the vast majority of the contexts in
which domain names are used, the expectation is that a domain name that
contains a "." is fully-qualified.


This is sampling bias.


No, I don't think so.  The vast majority of contexts where domain names
are used, are contexts in which the domain is supplied by one party and
(at least potentially) used by another party.  Email addresses, URLs,
domain names written on advertisements and business cards, etc.


Of course, but that explicitly excludes every case where a search
list is useful. That's why I'm saying you have to look at the
cases were a search list is used. In large organisations "domain names"
(used loosely) can have dots in and be expected to have
search list items appended. Given search list use is rare,
it's obviously going to be rare to have them with dots.


The question here should be "where search lists are used, are
they frequently used in combination with domain names that
are not fully qualified". I would suggest the answer to this
question is "yes".


That's not a useful way to phrase the question, because there's no way
for software to know whether or not the user intends that a name
containing "." is fully-qualified.


You are begging the question. Of course the name "foo.bar" is
ambiguous. That's precisely /why/ there is a search list, so
foo.bar is only looked up if foo.bar.example.com (or whatever)
does not exist. The existence of the "if" step means that the
software cannot know what the domain means (in the sense
of what it will ultimately resolve to) without doing a lookup.


If so, then to the extent that search lists
are supported, you need to make them interwork names with
dots in them. Moreover, with a search list of "example.com",
having "mail" work, but not "mail.dev" is going to be a
pretty surprising outcome.


It will be surprising to that relatively small portion of users that
relies on search lists being applied to multi-label names.   But overall,
having a clear, visible distinction between names for which searching is
potentially applied (i.e. bare or single-label names), and names for
which searching is not applied (multi-label names) results in less
surprising behavior for everyone.


I do not think you have established that a relatively small number
of users of search lists use multi-label names. I suspect that
is not true.


I think the two options are either deprecating search lists
(or not supporting them), or supporting them properly, in
which case they must be used whatever domain name is
specified, and the way to avoid using a search list
is the same old hack as before (i.e. putting a dot on the
end).


Supporting search lists "properly" is NOT using them whenever a domain
name is specified.  That makes all domain names context-sensitive, and
breaks every application that uses domain names supplied by other parties
or in other contexts.


I don't have RFC references to hand, but precisely for the reasons you have
set out above, I do not believe there is anything within them that search
lists should only be used if "a domain name is specified", precisely
because it's impossible to tell whether a string with dots in it is "a
domain name", or merely something to go on the front of search lists.

What you are, I think, saying, is that you want to change the behaviour of
search lists so they only work with single labels. What I'm saying is that
there are likely to be a significant number of users of search lists who
are affected by that, as they currently pass things with dots in them. A
completely unscientific analysis I know, but every internet company I have
worked with since we moved out of uucp naming has done this, and not
because I have told them to. Even current 20 person software house does
this. So, if you are going to substantially break search lists (which is
not inherently a bad idea - they have caused all sorts of trouble in times
past), you might as well just deprecate them or not support them.

--
Alex Bligh
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Keith Moore]

On Oct 24, 2011, at 7:55 AM, Alex Bligh wrote:

> 
> 
> --On 24 October 2011 07:29:55 -0400 Keith Moore  
> wrote:
> 
> 
 I'm just pointing out that for the vast majority of the contexts in
 which domain names are used, the expectation is that a domain name that
 contains a "." is fully-qualified.
>>> 
>>> This is sampling bias.
>> 
>> No, I don't think so.  The vast majority of contexts where domain names
>> are used, are contexts in which the domain is supplied by one party and
>> (at least potentially) used by another party.  Email addresses, URLs,
>> domain names written on advertisements and business cards, etc.
> 
> Of course, but that explicitly excludes every case where a search
> list is useful.

That's the point - search lists are not appropriate most of the time, and it's 
very hard for software to distinguish the cases where they are potentially 
appropriate from the cases when they're not, and it's not possible for software 
to do this in all cases.

The presence or absence of a '.' is a simple and easily-understood convention.  
It might be somewhat inconvenient for large organizations that currently rely 
on search lists for multi-label names, but overall that's a small price to pay 
in exchange for having consistent behavior of domain names across the board.  

The only reason that those organizations have managed to get away with it so 
far is that TLDs (particularly TLDs with more than 2 characters) have been 
relatively few in number.  But with vanity TLDs this will no longer be the case.

>>> The question here should be "where search lists are used, are
>>> they frequently used in combination with domain names that
>>> are not fully qualified". I would suggest the answer to this
>>> question is "yes".
>> 
>> That's not a useful way to phrase the question, because there's no way
>> for software to know whether or not the user intends that a name
>> containing "." is fully-qualified.
> 
> You are begging the question. Of course the name "foo.bar" is
> ambiguous.

No, it's not ambiguous.  It's fully qualified.  

> That's precisely /why/ there is a search list, so
> foo.bar is only looked up if foo.bar.example.com (or whatever)
> does not exist.

That's insane.   That allows a local enterprise to change the meaning of every 
domain name.  Domain names are supposed to have the same meaning everywhere in 
the Internet.

>>> If so, then to the extent that search lists
>>> are supported, you need to make them interwork names with
>>> dots in them. Moreover, with a search list of "example.com",
>>> having "mail" work, but not "mail.dev" is going to be a
>>> pretty surprising outcome.
>> 
>> It will be surprising to that relatively small portion of users that
>> relies on search lists being applied to multi-label names.   But overall,
>> having a clear, visible distinction between names for which searching is
>> potentially applied (i.e. bare or single-label names), and names for
>> which searching is not applied (multi-label names) results in less
>> surprising behavior for everyone.
> 
> I do not think you have established that a relatively small number
> of users of search lists use multi-label names. I suspect that
> is not true.

My assumption is that search lists in conjunction with multi-label names are 
mostly used within fairly large enterprises, but search lists are potentially 
in much wider use.

>>> I think the two options are either deprecating search lists
>>> (or not supporting them), or supporting them properly, in
>>> which case they must be used whatever domain name is
>>> specified, and the way to avoid using a search list
>>> is the same old hack as before (i.e. putting a dot on the
>>> end).
>> 
>> Supporting search lists "properly" is NOT using them whenever a domain
>> name is specified.  That makes all domain names context-sensitive, and
>> breaks every application that uses domain names supplied by other parties
>> or in other contexts.
> 
> I don't have RFC references to hand, but precisely for the reasons you have
> set out above, I do not believe there is anything within them that search
> lists should only be used if "a domain name is specified", precisely
> because it's impossible to tell whether a string with dots in it is "a
> domain name", or merely something to go on the front of search lists.
> 
> What you are, I think, saying, is that you want to change the behaviour of
> search lists so they only work with single labels. What I'm saying is that
> there are likely to be a significant number of users of search lists who
> are affected by that, as they currently pass things with dots in them.

No disagreement on that point.  But search lists always have been broken.  It's 
just unfortunate that DNS APIs have supported them for so long, and their 
behavior has become entrenched in several organizations (including some that 
ought to know better).

My belief is that local names (i.e. bare or single-label names) are useful and 
necessary but their beh

Re: [DNSOP] [dhcwg] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Danny Mayer]

On 10/23/2011 7:49 PM, Mark Andrews wrote:
> 
> In message <96472fb7-8425-4928-8f55-2abf2cb59...@conundrum.com>, Matthew 
> Pounse
> tt writes:
>>
>> On 2011/10/22, at 15:21, Keith Moore wrote:
>>
>>>
>>> On Oct 22, 2011, at 2:42 PM, Doug Barton wrote:
>>>
 1. I think we're all in agreement that dot-terminated names (e.g.,
 example.) should not be subject to search lists. I personally don't have
 any problems with any document mentioning that this is the expected
 behavior.
>>>
>>> agree.  however there are standard protocols for which a trailing dot in a 
>> domain name is a syntax error.
>>
>> Any protocol that makes a standard FQDN a syntax error is itself in error.  N
>> ot to say that these don't exist, but if people are writing protocols that ca
>> n't deal with a properly formatted FQDN they need to stop.  Now.
> 
> Except it isn't a standard hostname.  Periods *seperate* labels in
> hostnames RFC 952.  They DO NOT appear at the end of hostnames.
> 
> Appending a period to the end of a name is user interface hack to
> prevent searching.  If is also a way to prevent the appending of
> the current origin to all names in a DNS master file as the current
> origin is always appended if it isn't done.
> 
> In addition single labels are not HEIRACHICAL / DOMAIN STYLE names
> as envisioned when we went from a flat namespace of simple hostnames
> to a heirarchical namespace.
> 
>   foo.bar is a heirachical hostname.
>   bar is a simple hostname.
> 
> Why are we trying to bring them back on a global context?

I'm not even sure why we are having this discussion. You are right, of
course.

DNS doesn't know anything about search lists, nor does it care. Any
valid string presented to DNS is by definition a FQDN and DNS will
proceed accordingly. If the application choosing to consult a domain
search list it's up to that application, but DNS is not involved in the
consultation.

Danny
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Keith Moore]

On Oct 24, 2011, at 4:52 PM, Doug Barton wrote:

> On 10/24/2011 05:16, Keith Moore wrote:
>> That's the point - search lists are not appropriate most of the time, and 
>> it's very hard for software to distinguish the cases where they are 
>> potentially appropriate from the cases when they're not, and it's not 
>> possible for software to do this in all cases.
> 
> There's been something missing from this discussion, and I finally put
> my finger on it. TMK most stub resolvers have an option similar to this
> one from ISC's:
> 
> ndots:n
>sets a threshold for the number of dots which
>must appear in a name given to res_query() (see
>resolver(3)) before an initial absolute query
>will be made.  The default for n is “1”, mean‐
>ing that if there are any dots in a name, the
>name will be tried first as an absolute name
>before any search list elements are appended to
>it.
> 
> So it seems that this question is already a matter of local policy,
> which given the number and quality of the divergent views seems
> eminently reasonable. Can we move on now?

No, because relying on "local policy" is not sufficient for interoperability.

I think there's a need for IETF to document why any other value than 1 is a Bad 
Idea, and more to the point, why it will break things.The problem isn't 
entirely specific to hosts with multiple interfaces.  But given that using 
multiple interfaces makes the problem worse, MIF might want to take on some of 
the work of documenting why it will break things.

Keith

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Doug Barton]

On 10/24/2011 05:16, Keith Moore wrote:
> That's the point - search lists are not appropriate most of the time, and 
> it's very hard for software to distinguish the cases where they are 
> potentially appropriate from the cases when they're not, and it's not 
> possible for software to do this in all cases.

There's been something missing from this discussion, and I finally put
my finger on it. TMK most stub resolvers have an option similar to this
one from ISC's:

ndots:n
sets a threshold for the number of dots which
must appear in a name given to res_query() (see
resolver(3)) before an initial absolute query
will be made.  The default for n is “1”, mean‐
ing that if there are any dots in a name, the
name will be tried first as an absolute name
before any search list elements are appended to
it.

So it seems that this question is already a matter of local policy,
which given the number and quality of the divergent views seems
eminently reasonable. Can we move on now?


Doug

-- 

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Doug Barton]

On 10/24/2011 13:58, Keith Moore wrote:
> 
> On Oct 24, 2011, at 4:52 PM, Doug Barton wrote:
> 
>> On 10/24/2011 05:16, Keith Moore wrote:
>>> That's the point - search lists are not appropriate most of the time, and 
>>> it's very hard for software to distinguish the cases where they are 
>>> potentially appropriate from the cases when they're not, and it's not 
>>> possible for software to do this in all cases.
>>
>> There's been something missing from this discussion, and I finally put
>> my finger on it. TMK most stub resolvers have an option similar to this
>> one from ISC's:
>>
>> ndots:n
>>sets a threshold for the number of dots which
>>must appear in a name given to res_query() (see
>>resolver(3)) before an initial absolute query
>>will be made.  The default for n is “1”, mean‐
>>ing that if there are any dots in a name, the
>>name will be tried first as an absolute name
>>before any search list elements are appended to
>>it.
>>
>> So it seems that this question is already a matter of local policy,
>> which given the number and quality of the divergent views seems
>> eminently reasonable. Can we move on now?
> 
> No, because relying on "local policy" is not sufficient for interoperability.

I don't see how local resolution issues feed into interoperability here.

> I think there's a need for IETF to document why any other value than 1 is a 
> Bad Idea, and more to the point, why it will break things.The problem 
> isn't entirely specific to hosts with multiple interfaces.  But given that 
> using multiple interfaces makes the problem worse, MIF might want to take on 
> some of the work of documenting why it will break things.

That seems to be an opinion of yours that isn't widely shared.



-- 

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Lawrence Conroy]

Hi there Doug, Keith, folks,
 Speaking of broken mechanisms ... how many dots?
arstechnica.com is OK
  co.uk is not OK

ndots strikes me as a chocolate soldier in the fire used to warm the chocolate 
teapot that is search lists.

At best these are context dependent (and keep IT support in business). At worst 
...
 one day I WILL be arrested for tazering the bean counter (why is it always one 
of
 those?) who insists that "intranet" is a fine web server name useful anywhere.

[I came damn close a few times with Yankee hotel reservations accessible only 
via
 1-800 'phone numbers]

Speaking of interoperability -- the comment "it works for everyone here" is not
 a good sign that the solution is interoperable.

IMO, search lists and ndots are both abominations, and should not be given the 
oxygen of publicity.

all the best,
  Lawrence



On 24 Oct 2011, at 21:52, Doug Barton wrote:
> On 10/24/2011 05:16, Keith Moore wrote:
>> That's the point - search lists are not appropriate most of the time, and 
>> it's very hard for software to distinguish the cases where they are 
>> potentially appropriate from the cases when they're not, and it's not 
>> possible for software to do this in all cases.
> 
> There's been something missing from this discussion, and I finally put
> my finger on it. TMK most stub resolvers have an option similar to this
> one from ISC's:
> 
> ndots:n
>sets a threshold for the number of dots which
>must appear in a name given to res_query() (see
>resolver(3)) before an initial absolute query
>will be made.  The default for n is “1”, mean‐
>ing that if there are any dots in a name, the
>name will be tried first as an absolute name
>before any search list elements are appended to
>it.
> 
> So it seems that this question is already a matter of local policy,
> which given the number and quality of the divergent views seems
> eminently reasonable. Can we move on now?

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dhcwg] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Keith Moore]

On Oct 24, 2011, at 6:50 PM, Jeffrey Hutzelman wrote:

>>> So it seems that this question is already a matter of local policy,
>>> which given the number and quality of the divergent views seems
>>> eminently reasonable. Can we move on now?
>> 
>> No, because relying on "local policy" is not sufficient for interoperability.
> 
> For interoperability, one can use absolute names, with the trailing dot,

uh, no.   Names with trailing dots aren't allowed in many contexts.   And in 
some of the contexts in which they are allowed, they get "canonicalized" to 
names without trailing dots.

> or specify that in the context of whatever protocol, all names are to be
> taken as relative to the root, or use other than a printed
> representation.

...so a DNS name means different things in one context than in another.  Bad 
Idea.

>  In some cases this may require that implementations use
> resolver interfaces which make it clear that a name to be resolved is
> absolute, or that they append the empty label to relative names before
> passing them on to the resolver.
> 
> On the other hand, in user interface, which is primarily where relative
> names are intended to be used, local policy is quite sufficient.

no.  Domain names are written on buses, billboards, business cards.  They do 
get transcribed, quite often actually, and they need to have the same meanings 
when typed in as they do when clicked on.

In a small number of cases, where a user gets immediate feedback after he types 
in the name and before a host attempts to contact a server, it might be 
sufficient to "canonicalize" a name, show the user how the name will actually 
be interpreted, and let him click "ok" before contacting the server.   But even 
then, what if the "canonicalization" is wrong?  How is the user supposed to 
know how to tell the software to treat the name as an FQDN?  If he types in the 
'.', the dot will disappear when the name is canonicalized.   That's not 
exactly effective reinforcement.   It says to the user "you should not have 
typed in that final dot".  And the practice of not using a trailing "." is 
nearly universal.  Changing that practice is much harder than changing from 
IPv4 and IPv6.

Some people are working way too hard to try to save something that was never a 
good idea in the first place.   

I'm not arguing that all software that currently applies searching to names 
with dots in them has to die a violent death, and immediately either be updated 
or deleted from all computers everywhere (as if...).  I'm just saying that IETF 
should recommend against the practice of using search lists with multi-label 
names, and document the harm that it does.  Sites can still do it if they want 
to, or they can manage their own transitions away from using search paths for 
such names, on their own timeframes.   After all, this has been a practice for 
~30 years in some places, nobody should expect it all to change overnight.

>  As long as I and the software on my machine agree on what a name I type 
> means, it's none of the IETF's business.

(So what?  It's also none of IETF's business if you ___  < pick 
anything that is utterly senseless here)

Of course, you can do whatever you want.  But IETF should promote practices 
that make good sense, even though we realize that some people will decide for 
themselves to not follow them.

> Can an enterprise change the name of every domain name?  On machines
> they control, yes.

Of course they can.  But it makes absolutely no sense for IETF to bless that 
practice or to ignore it when we know that it does harm.  

The presumption of the standards is that you want your machines to interoperate 
with other machines.  If you don't want interoperability, have a day - screw 
things up however you want.  (as long as you only affect your own machines, of 
course.).  Nobody's forcing you to keep your machines conforming.

> While I agree wholeheartedly with the notion of a unique domain name
> space, I also believe that mapping a relative or abbreviated name onto
> that namespace is _entirely_ a matter of local policy.

That's a convenient philosophy if you _only_ care that local things 
interoperate with one another.

>  It is perhaps
> appropriate for the IETF to provide mechanisms for distributing that
> policy, for those who wish to use them, but not to dictate what the
> policy must be.

IETF's job is to help the Internet work,  not to endorse every bit of local 
brain damage that people are attached to.

> Do things get worse as new TLDs appear?  Yes, sometimes.

Be prepared for it to happen more often.  Do you really want to rethink your 
naming scheme every time someone creates a vanity TLD that happens to collide 
with some subdomain of cmu.edu?   Even if that's only once every year or three, 
how often does it need to happen before it's no longer worth the trouble?

I mean, I'm sure that the relevant people at CMU are quite capable of 
evaluating that decision for thems

Re: [DNSOP] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Mark Andrews]

In message , Lawrence Con
roy writes:
> Hi there Doug, Keith, folks,
>  Speaking of broken mechanisms ... how many dots?
> arstechnica.com is OK
>   co.uk is not OK
> 
> ndots strikes me as a chocolate soldier in the fire used to warm the 
> chocolate teapot that is search lists.
> 
> At best these are context dependent (and keep IT support in business). At 
> worst ...
>  one day I WILL be arrested for tazering the bean counter (why is it 
> always one of
>  those?) who insists that "intranet" is a fine web server name useful 
> anywhere.
> 
> [I came damn close a few times with Yankee hotel reservations accessible 
> only via
>  1-800 'phone numbers]
> 
> Speaking of interoperability -- the comment "it works for everyone here" 
> is not
>  a good sign that the solution is interoperable.
> 
> IMO, search lists and ndots are both abominations, and should not be 
> given the oxygen of publicity.
> 
> all the best,
>   Lawrence
> 
> 
> 
> On 24 Oct 2011, at 21:52, Doug Barton wrote:
> > On 10/24/2011 05:16, Keith Moore wrote:
> >> That's the point - search lists are not appropriate most of the time, 
> and it's very hard for software to distinguish the cases where they are 
> potentially appropriate from the cases when they're not, and it's not 
> possible for software to do this in all cases.
> > 
> > There's been something missing from this discussion, and I finally put
> > my finger on it. TMK most stub resolvers have an option similar to this
> > one from ISC's:
> > 
> > ndots:n
> >sets a threshold for the number of dots which
> >must appear in a name given to res_query() (see
> >resolver(3)) before an initial absolute query
> >will be made.  The default for n is “1”, mean‐
> >ing that if there are any dots in a name, the
> >name will be tried first as an absolute name
> >before any search list elements are appended to
> >it.
> > 
> > So it seems that this question is already a matter of local policy,
> > which given the number and quality of the divergent views seems
> > eminently reasonable. Can we move on now?
> 
> ___
> dnsext mailing list
> dns...@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

In many cases when ndots is not 1 there are no DNS entries that
will match ..  That said the set of
 is growing so it is going to get harder and harder to
ensure that this condition is being met.

Walled gardens shouldn't be creating their own TLDs.  ISP's, hotspots,
etc. should not be search list at all.  The definitely should not
be relying on "label" being found on a search list.

As far as I can tell there are only two places where setting search
list make sense.

1. Enterprises.
2. Homes.

Everywhere else you DO NOT control the machine requesting the address
and setting search lists could actually result in criminal prosecution.
Just because the machine requested a search list it doesn't mean
that you should be supplying one.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dhcwg] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Jeffrey Hutzelman]

On Mon, 2011-10-24 at 16:58 -0400, Keith Moore wrote:
> On Oct 24, 2011, at 4:52 PM, Doug Barton wrote:
> 
> > On 10/24/2011 05:16, Keith Moore wrote:
> >> That's the point - search lists are not appropriate most of the time, and 
> >> it's very hard for software to distinguish the cases where they are 
> >> potentially appropriate from the cases when they're not, and it's not 
> >> possible for software to do this in all cases.
> > 
> > There's been something missing from this discussion, and I finally put
> > my finger on it. TMK most stub resolvers have an option similar to this
> > one from ISC's:
> > 
> > ndots:n
> >sets a threshold for the number of dots which
> >must appear in a name given to res_query() (see
> >resolver(3)) before an initial absolute query
> >will be made.  The default for n is “1”, mean‐
> >ing that if there are any dots in a name, the
> >name will be tried first as an absolute name
> >before any search list elements are appended to
> >it.
> > 
> > So it seems that this question is already a matter of local policy,
> > which given the number and quality of the divergent views seems
> > eminently reasonable. Can we move on now?
> 
> No, because relying on "local policy" is not sufficient for interoperability.

For interoperability, one can use absolute names, with the trailing dot,
or specify that in the context of whatever protocol, all names are to be
taken as relative to the root, or use other than a printed
representation.  In some cases this may require that implementations use
resolver interfaces which make it clear that a name to be resolved is
absolute, or that they append the empty label to relative names before
passing them on to the resolver.

On the other hand, in user interface, which is primarily where relative
names are intended to be used, local policy is quite sufficient.  As
long as I and the software on my machine agree on what a name I type
means, it's none of the IETF's business.

Can an enterprise change the name of every domain name?  On machines
they control, yes.


While I agree wholeheartedly with the notion of a unique domain name
space, I also believe that mapping a relative or abbreviated name onto
that namespace is _entirely_ a matter of local policy.  It is perhaps
appropriate for the IETF to provide mechanisms for distributing that
policy, for those who wish to use them, but not to dictate what the
policy must be.




> I think there's a need for IETF to document why any other value than 1
>  is a Bad Idea, and more to the point, why it will break things.

It's not a Bad Idea, and it doesn't break things, or at least not so
badly that the convenience isn't worth it.  In this, I speak from years
of operational experience, not only of personal use of also that of the
many users of systems I operate support.

Do things get worse as new TLDs appear?  Yes, sometimes.

Have we mostly had to abandon use of relative names ending in .cs and
other two-letter suffixes?  Yes, but we _mostly_ didn't use them anyway,
due to our deep namespace and the appearance of those domains in our
search list (here, "foo.bar" usually means "foo.bar.cs.cmu.edu").

Does that mean we're abandoning "options ndots:2"?  Not aggressively.
It has faded over time, but more due to a failure to actively apply it
to newer systems than to any conscious decision that it's a problem.

Further, given this position, I wonder why you think even a value of 1
is acceptable in the face of vanity TLDs.  I know why I do, both from
the perspective of an IETF (it's a local policy matter, period) and for
myself (search for local names first, don't trust DNS results (yet) for
security, and write absolute names when you want to bypass search
lists).


> The
>  problem isn't entirely specific to hosts with multiple interfaces. 
>  But given that using multiple interfaces makes the problem worse, MIF
>  might want to take on some of the work of documenting why it will
>  break things.

I can see how using an untrusted search list makes it worse.

I can also see how using multiple sets of nameservers which provide
different views of the namespace makes things worse, and I can see how
using multiple interfaces makes this more likely.  But, that has nothing
to do with search lists and occurs even if every name is always treated
as absolute.  I can see two answers to this:

1) Use DNSSEC
2) Don't trust results from unsecured DNS for anything important.

I fail to see how using multiple interfaces makes the problem worse, in
itself.  Can you elaborate?

-- Jeff

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dhcwg] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Jeffrey Hutzelman]

On Mon, 2011-10-24 at 19:30 -0400, Keith Moore wrote:
> On Oct 24, 2011, at 6:50 PM, Jeffrey Hutzelman wrote:
> 
> >>> So it seems that this question is already a matter of local policy,
> >>> which given the number and quality of the divergent views seems
> >>> eminently reasonable. Can we move on now?
> >> 
> >> No, because relying on "local policy" is not sufficient for 
> >> interoperability.
> > 
> > For interoperability, one can use absolute names, with the trailing dot,
> 
> uh, no.   Names with trailing dots aren't allowed in many contexts.  
>  And in some of the contexts in which they are allowed, they get
>  "canonicalized" to names without trailing dots.

Yup; that's a problem.  And I agree that changing it may not be the most
practical solution to the problem.


> 
> > or specify that in the context of whatever protocol, all names are to be
> > taken as relative to the root, or use other than a printed
> > representation.
> 
> ...so a DNS name means different things in one context than in another.  Bad 
> Idea.

Hm?  Not at all.  Really, only unambiguous names ought to ever appear on
the wire.  One way for a protocol to do that is too use absolute names
exclusively; another is to use "relative" names which are always
relative to the root; this is the same as using absolute names without
the trailing dot.  Another is to use names relative to some unambiguous
origin, as is done in DNS master files.

The important thing is that a name always mean the same thing, not that
it be represented the same way in all protocols.


> >  In some cases this may require that implementations use
> > resolver interfaces which make it clear that a name to be resolved is
> > absolute, or that they append the empty label to relative names before
> > passing them on to the resolver.
> > 
> > On the other hand, in user interface, which is primarily where relative
> > names are intended to be used, local policy is quite sufficient.
> 
> no.  Domain names are written on buses, billboards, business cards. 
>  They do get transcribed, quite often actually, and they need to have
>  the same meanings when typed in as they do when clicked on.

Yup, that's a problem, too, in many ways.  Of course, such names should
always be fully-qualified; you can't expect useful results if you use a
relative name on the side of a bus.  Or at least, you can't unless you
really meant an absolute name but left off the trailing dot, which is
what everyone will think you meant anyway.


> Some people are working way too hard to try to save something that was
>  never a good idea in the first place.   
> 
> I'm not arguing that all software that currently applies searching to
>  names with dots in them has to die a violent death, and immediately
>  either be updated or deleted from all computers everywhere (as
>  if...).  I'm just saying that IETF should recommend against the
>  practice of using search lists with multi-label names, and document
>  the harm that it does.  Sites can still do it if they want to, or they
>  can manage their own transitions away from using search paths for such
>  names, on their own timeframes.   After all, this has been a practice
>  for ~30 years in some places, nobody should expect it all to change
>  overnight.

Right.  That's what local policy _is_.
Of course it's reasonable for the IETF to recommend default policy, and
describe some of the pitfalls associated with other possible policies.
And I certainly agree that ndots:1 is a reasonable default policy that
will work for most people while causing few problems.  Which makes it
convenient that it's what most vendors already do today.

> > While I agree wholeheartedly with the notion of a unique domain name
> > space, I also believe that mapping a relative or abbreviated name onto
> > that namespace is _entirely_ a matter of local policy.
> 
> That's a convenient philosophy if you _only_ care that local things
>  interoperate with one another.

I only care that abbreviated names work for local things.  For non-local
things, I find it acceptable that fully-qualified names must be used to
obtain interoperability.


> > Further, given this position, I wonder why you think even a value of 1
> > is acceptable in the face of vanity TLDs.


> Because (a) local names are essential, (b) the ability to distinguish
>  local names from FQDNs is also essential, and (c) use of a
>  single-label name as a local name (meaning, a name subject to local
>  interpretation) is a very widespread and well-entrenched practice.  
>  Sites that associate address (or MX) records with vanity TLDs will
>  lose, and they deserve to lose.

OK; on these points we agree.

Note, however, that to me "local interpretation" means as defined by me
and whoever else is involved in setting policy for me, and _not_ as
defined by the coffee shop I happen to be sitting in.  IMHO, local names
are useless if I cannot depend on their meaning.

Ideally, it would be desirable to have an interoperable way to 

Re: [DNSOP] [dhcwg] [dnsext] [mif] 2nd Last Call for MIF DNS server selection document

[Jeffrey Hutzelman]

On Sat, 2011-10-22 at 11:42 -0700, Doug Barton wrote:

> In regards to 3, let's say I have a domain, example.org. In my network I
> have various subdomains that represent various network segments, let's
> say foo, bar, and baz. Personally, I find it convenient to put
> 'example.com' in the search list for all of my hosts, and then type 'ssh
> host.bar' and go off on my merry way. Yes, I understand that in my
> simple example I could theoretically put all 3 subdomains in the search
> list. Now assume that my network isn't actually that simple ...

For example, suppose that each of foo, bar, and baz in turn has a number
of subdomains, and that the total number of such 4th-level domains is
over 250.  Now, imagine that major resolver implementations limit the
search list to a total of 6 domains...



___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop