Re: Review of: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi John - Thanks for the detailed review. I'm planning a -04 update soon, FWIW. 

Specific responses inline below.

Thx,
Jason


On 5/2/11 7:44 PM, "John Leslie" <john@xxxxxxx> wrote:

Livingood, Jason <Jason_Livingood@xxxxxxxxxxxxxxxxx> wrote:
To: John Leslie <john@xxxxxxx>...
As I read it, this says that certain DNS servers will be configured
to _not_ return AAAA records to AAAA queries by default.
This strikes me as a really-strange transition mechanism.
Depends on a number of factors for a content provider.

   Actually, no -- none of these factors make me feel it's any less than
_REALLY_ strange.

The more traffic a domain receives the more likely they are to consider
this practice as a transition mechanism from what I have observed.

   "Transition mechanism" is really-close to an oxymoron.

This practice can give a large domain some level of control in turning
on IPv6 access to their content, whereas they would lack this since
they would turn it on for everyone when publishing the AAAA RR in the
DNS.

   It doesn't give nearly as much control as they seem to think it does.
This blocks AAAA records, not based on the host interested in using them,
but based on some feature (IP address?) of the intermediate DNS resolver.

[JL] Quite so, and many in the WG feel it is difficult to use the resolver as a proxy for end use host IPv6-related impairment. Nevertheless, implementers feel it is good enough and the best available mechanism, and works reliably enough for their (temporary) use. 

It's traditional to configure hosts to use two (or more) DNS resolvers
to mimimize the delays and disruptions.

   It will be very common for an end-host to alternate AAAA-requests
between one resolver which happens to be AAAA-blocked and another which
happens to be "whitelisted". I cringe in fear of taking the support
calls from such customers.

[JL] You and me both!!  ;-)

Once a comfort level and operational stability is achieved I would
expect most domains to move away from the practice, but that is TBD.

   I would expect a painful number of domains to forget it's there. :^(

[JL] Fair enough – which is why the 'risk of operational momentum' has been noted in the I-D. I don't know if it'll happen with this practice, but it would not be the first time that a temporary mechanism becomes a foundational one.

Certainly what happens on World IPv6 Day will bear on this question
in important ways (when AAAA RRs are published without the use of
DNS whitelisting).

   I predict a majority will turn off AAAA records for their regular
www.example.com on WorldIPv6Day+1.

[JL] To some extent this is expected — everyone will want to do some data analysis afterwards before they make a decision on what to do next. But certainly Heise Online (as cited in the I-D) and others feel the risk was low enough on their domains to go ahead and publish a AAAA RR. Every domain will be different and make the decision on their own.

   But that's OK: there are other ways to make progress.

   And the pressure should probably be applied to browser-software writers,
so that when an end-user finds himself IPv6-impaired, he can simply shift
to a different browser,

    Color me thoroghly confused.
Hopefully that's more over the practice than the document;

   Indeed, I _am_ more confused by the practice than the document.

   But the document is confusing enough! What does it encourage me to
_do_?

[JL] Suggest I simplify the document, I'm sure. ;-) I've made some effort to do this for the –04 version based on all the feedback on –03. I'm also planning a top-to-bottom simplification after the –04.  So, point well-taken.    :-) 


if you wish to see improvements in the I-D just say so.

   Personally, I wish you'd do a nearly-global

s/DNS whitelisting/AAAA-blocking/

   It's a much more descriptive term.

[JL] The naming of the practice is noted as an Open Item in the draft, so I'll be discussing that with the WG chairs.

   Also, I'd appreciate less of "this solve a transition problem" and
more of "this doesn't even do what the folks seem to think it does".

   It's arguably reasonable to AAAA-block to DNS resolvers whose
managers ask for it; but it's not at all reasonable to AAAA-block by
default. IMHO, it would be better to tell folks that ask you to
AAAA-block to switch to resolver software that can AAAA-block to
certain end-users. After all, the problem _isn't_ localized on the
DNS resolver.

   And the document does nothing to help me figure out what to do to
enable a venturesome customer to _use_ IPv6 to a site that turns on
this AAAA-blocking!

   :^( :^(

[JL] All good feedback – thanks!

Jason




--
John Leslie <john@xxxxxxx>

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]