ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DNSEXT WGLC Summary: AXFR clarify

2002-11-17 10:59:30
from [D. J. Bernstein] [Permanent Link] 
Gudmundsson writes:

DNSEXT has completed it's review of this document and requests that
it be advanced to Proposed standard.


Excuse me? When did that happen? The document is highly controversial.
The conclusion of the July meeting was ``Not ready to go: axfr-clarify,
too bind specific.'' There were no subsequent public discussions.

In fact, it's even worse than that: this so-called ``clarification'' is
specific to _BIND 9_. It imposes requirements incompatible with BIND 8,
djbdns, and probably a bunch more widely deployed servers.

http://cr.yp.to/djbdns/axfr-clarify.html gives detailed explanations of
my ten objections to this document. To summarize:

   * ``Timeline'': This document obviously does not have consensus. This
     is the fourth time that Gudmundsson has tried to ram this document
     through the process by misrepresenting the WG discussions.

   * ``AXFR client security issues'': The document ignores an essential
     security requirement for AXFR clients. This is important background
     for the next two objections.

   * ``Parent-child discrepancies'': The document allows violation of
     one of the fundamental RFC 1034 database-consistency requirements.
     It forces perfectly legitimate, widely deployed, implementations to
     change their database structures to handle those violations in the
     same way that BIND 9 does.

   * ``What is allowed in a zone?'': In response to an interoperability
     problem added to the BIND 9 AXFR client, the document attempts to
     outlaw perfectly legitimate, widely deployed, AXFR server behavior.

   * ``Records outside the answer section'': The document outlaws some
     perfectly legitimate, widely deployed, AXFR parsing techniques.

   * ``Unauthorized clients'': The document outlaws the perfectly
     legitimate, widely deployed, behavior of dropping AXFR connections
     from attackers.

   * ``Clients checking RCODE'': The document outlaws some perfectly
     legitimate, widely deployed, AXFR parsing techniques.

   * ``Clients checking IDs'': The document discourages some perfectly
     legitimate, widely deployed, AXFR parsing techniques.

   * ``Servers repeating questions'': The document discourages some
     perfectly legitimate, widely deployed, AXFR response formats.

   * ``Servers repeating records'': The document discourages some
     perfectly legitimate, widely deployed, AXFR response formats.

My web page also mentions, for completeness, two problems that were
fixed in axfr-clarify-02.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: DNSEXT WGLC Summary: AXFR clarify, D. J. Bernstein <=
Previous by Date:  Re: Spring 2003 IETF - Why San Francisco?, RJ Atkinson
Next by Date:  Re: Spring 2003 IETF - Why San Francisco?, Kevin C. Almeroth
Previous by Thread:  Spring 2003 IETF - Why San Francisco?, Ross Finlayson
Next by Thread:  text conferencing at the 55th IETF meeting in Atlanta, Marshall Rose
Indexes:  [Date] [Thread] [Top] [All Lists]