In message
<alpine(_dot_)LSU(_dot_)2(_dot_)00(_dot_)1105170943460(_dot_)30098(_at_)hermes-2(_dot_)csi(_dot_)cam(_dot_)ac(_dot_)uk>,
Tony F
inch writes:
Fred Baker <fred(_at_)cisco(_dot_)com> wrote:
In this case, the draft is talking about a particular variety of DNS
service. One might call is "DNS Whitelisting" when the context isn't
clear, but I think in this case the context is clearly not DKIM.
The problem is that the specific phrase "DNS whitelist" is already used in
the anti-spam world, so it would be helpful if IPv6 resolver whitelists
used a different descriptive phrase.
The anti-spam blacklist/whitelist terminology is often quite poor. I think
it is clearer to talk about what is listed (as in URIBL) rather than how
the list is published (DNSBL) since the latter doesn't immediately explain
how the list is supposed to be used. See for example the cautionary note
at http://www.spamhaus.org/dbl/
In the case at hand, the list does not contain AAAA RRs as the abstract
suggests, it contains IPv6-capable resolvers. The whitelist isn't
published in the DNS, so it doesn't match the existing use of the phrase
"DNS whitelist".
No. It contains just resolvers. All the resolvers in the world
should be capable of resolving AAAA records if they followed RFC
1034. It was clear enough that unknown == opaque blob in terms of
actually resolving data. What wasn't clear was how to load and
display the data in the opaque blobs but once the data was in the
system moving it around shouldn't have been a problem.
A IPv6 capable resolver uses IPv6 as a transport. A IPv6 capable
resolver may do its own AAAA lookups. A IPv6 capable nameserver
may *not* even be able to decode AAAA presentation format. It may
just be being handed blobs of data. AAAA doesn't require any special
handling in a nameserver.
So I suggest retitling the document "IPv6 DNS resolver whitelisting" and
revising the terminology throughout to match. e.g.
"DNS resolver whitelisting for AAAA resolution" describes what is being
talked about.
This document describes the emerging practice of whitelisting of IPv6
capable DNS resolvers, to determine which resolvers may be sent AAAA
resrource records. This technique is referred to as IPv6 whitelisting.
The document explores the implications of this emerging practice are
and what alternatives may exist.
The practice of IPv6 whitelisting appears to have first been used by
major web content sites [...]
As a result of this impairment affecting end users of a given domain,
a few major domains have either implemented IPv6 whitelisting or are
considering doing so [NW-Article-DNS-WL] [IPv6 Whitelist Operations].
When implemented, IPv6 whitelisting in practice means that a domain's
authoritative DNS will return a AAAA resource record to DNS recursive
resolvers [RFC1035] on the whitelist, while returning no AAAA
resource records to DNS resolvers which are not on the whitelist. It
is important to note that these major domains are motivated by a
desire to maintain a high-quality user experience for all of their
users. By engaging in IPv6 whitelisting, they are attempting to
shield users with impaired access from the symptoms of those
impairments.
etc.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.
_______________________________________________
v6ops mailing list
v6ops(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/v6ops
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf