[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Request for Advice on VGRS IDN Announcement]

To: paf@cisco.com (Patrik Fältström)
Subject: Re: [Fwd: Request for Advice on VGRS IDN Announcement]
From: Ted Hardie <Ted.Hardie@nominum.com>
Date: Tue, 7 Jan 2003 11:29:02 -0800 (PST)
Cc: iab@ietf.org, iesg@ietf.org, leslie@thinkingcat.com (Leslie Daigle)
Delivery-date: Tue, 07 Jan 2003 11:31:39 -0800
Envelope-to: iesg-hack@psg.com
In-reply-to: <F32C268A-2208-11D7-B91E-0003934B2128@cisco.com> from "Patrik Fältström" at Jan 07, 2003 07:26:26 AM
List-help: <mailto:iesg-request@ietf.org?subject=help>
List-id: <iesg.ietf.org>
List-post: <mailto:iesg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/iesg>,<mailto:iesg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/iesg>,<mailto:iesg-request@ietf.org?subject=unsubscribe>
Sender: Randy Bush <randy@psg.com>

Rob, Harald, Ran, and I have also been talking about this, and there
are a couple of issues that have come up in those discussions you
don't mention.

Architectural items at stake:

1) This scheme puts the data integrity of the DNS at stake by
converting a negative answer to a positive answer. 

2) Predictability is lost because one set of TLDs behaves this
way, but the behavior is neither uniform across TLDs nor
carried into other parts of the DNS.  This means interoperability
is at risk.

On the first point, I personally believe that this behavior is a major
protocol error.  There is a set of data in the zone and specified
behavior for queries against that set, and there is a disjoint set of
data excluded from the zone and specified behavior for queries against
that set.  They fail to follow the specification for queries against
the second set.

Rob has noted that you can treat this behavior differently, presuming
that they eliminate the second set by including umpteen zillion new
registrations.  If that is the case, then the queries against the new
entries in the first set should follow the same pattern as those for
any other entry in the set.  Traces of queries against this set show
that this is not the case.  Rob's data shows that queries for A
records like www.\248l.com return IP addresses, but that queries for
NS records for \248l.com return NXDOMAIN.  This is not the same
behavior as for the original members of the set.

Moreover, this appears to be the registry adding the registrations,
not the registrar, and this appears to bypass all the normal
coordination among the registrars and the registry.  That, in turn,
means that normal methods of following data from one protocol to
another (like whois or EPP) will fail.

In addition, this behavior means that the .com and .net zones cannot
be signed according to any of the current proposals for
DNSSEC. Opt-sideways, as Rob calls the proposal which would otherwise
trigger spam filters, is spec'ed for delegation-only zones which
.com and .net are no longer.

Lastly, I would like to note that parallels between this behavior and
the behavior of specific clients misses an important point: a user or
organization that wishes to comply with the specs can change client
implementations, but they cannot change operators for a zone.  While
I am sympathetic to the concern, I believe we can and should address
the issues related to the operation of the infrastructure separately
from the issues related to client implementations.
				regards,
					Ted

Follow-Ups:
- Re: [Fwd: Request for Advice on VGRS IDN Announcement]
  - From: Patrik Fältström <paf@cisco.com>

References:
- Re: [Fwd: Request for Advice on VGRS IDN Announcement]
  - From: Patrik Fältström <paf@cisco.com>

Prev by Date: an added factor in the idn question?
Next by Date: I'm back
Previous by thread: Re: [Fwd: Request for Advice on VGRS IDN Announcement]
Next by thread: Re: [Fwd: Request for Advice on VGRS IDN Announcement]
Index(es):
- Date
- Thread