Thank you for your thorough review, Dave. Changes will be made in an upcoming
–04 revision. Some more specific comments can be found inline below.
Thanks!
JL
PS – I have at least one other email from you in my queue for this I-D – I've
not forgotten about it. :-)
On 4/29/11 7:32 PM, "Dave CROCKER"
<dhc(_at_)dcrocker(_dot_)net<mailto:dhc(_at_)dcrocker(_dot_)net>> wrote:
Review:
Title: IPv6 AAAA DNS Whitelisting Implications
I-D: draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03
By: D. Crocker
<dcrocker(_at_)bbiw(_dot_)net<mailto:dcrocker(_at_)bbiw(_dot_)net>>
Date: 29 April 2011
Summary:
This draft is a discussion of a technique for resolving a dual-stack problem
between IPv4 and IPv6, through the use of special DNS records.
The document appears to continue a recent use of the term 'whitelisting' that
strongly conflicts with long-standing use of the term by the anti-abuse
community.
The document needs to do a more careful job of introducing the problem it is
solving and the explaining the way the 'whitelisting' mechanism works.
I also very strongly encourage finding a different term.
[JL] There's been a great deal of discussion on the mailing list about this.
While it appears the consensus is to leave it as-is, your point is well noted
and I have listed this in the Open Items list of the –04 draft and will be
consulting with the WG chairs for direction on the matter.
d/
Abstract
The objective of this document is to describe what the whitelisting
of DNS AAAA resource records is, hereafter referred to as DNS
RRs are whitelisted? Isn't it the addresses and not the records that are
whitelisted?
Does this mean putting whitelisting records into the DNS or does it mean
something else?
[JL] You are quite correct. Another reviewer also noted my error in this
sentence and it is corrected in the –04 version.
Comcast's own considerable expertise notwithstanding, has this doc been vetted
with a range of organizations that actually DO whitelisting?
[JL] Folks from organizations that perform or are considering IPv6 DNS
whitelisting have provided feedback on the draft, which has been incorporated
into previous versions. Additional feedback has been shared which will be in
the –04 revision.
Has it been
circulated through MAAWG and APWG? Any comments from Spamhaus? The
Acknowledgements list does not seem to indicate a range of whitelist ops folks
whose names I know. (But then, I only know a few...)
[JL] It has not specifically been sent to groups like MAAWG, as I think this
form of DNS server-related whitelisting is different from mail server
whitelisting. I can certainly do so, but I'm not sure those groups will be
interested as it is not particularly anti-abuse related.
whitelisting, as well as the implications of this emerging practice
and what alternatives may exist. The audience for this document is
the Internet community generally, including the IETF and IPv6
implementers.
I suspect that product marketers won't have much interest in this. I suspect
that the target for this is anti-abuse technical and operations staff.
[JL] You are doing a good job illustrating the confusion over the use of the
term 'whitelisting'. ;-) The target is actually not A/A tech and ops personnel,
since the draft is specifically related to the IPv6 transition and not A/A or
even messaging.
<snip>
1. Introduction
This document describes the emerging practice of whitelisting of DNS
AAAA resource records (RRs), which contain IPv6 addresses, hereafter
referred to as DNS whitelisting. The document explores the
implications of this emerging practice are and what alternatives may
exist.
The practice of DNS whitelisting appears to have first been used by
major web content sites (sometimes described herein as "highly-
Really? Not for email first?
[JL] You now get a +2 for further illustrating the potential for confusion over
the terms. ;-) But I'm referring specifically to this (which is how the updated
–04 text reads):
"whitelisting of DNS recursive resolvers in order to limit AAAA resource
records responses"
trafficked domains" or "major domains"). These web site operators,
or domain operators, observed that when they added AAAA resource
records to their authoritative DNS servers in order to support IPv6
Oh. You mean /IPv6/ whitelisting.
access to their content that a small fraction of end users had slow
or otherwise impaired access to a given web site with both AAAA and A
resource records. The fraction of users with such impaired access
has been estimated to be roughly 0.078% of total Internet users
[IETF-77-DNSOP] [NW-Article-DNSOP] [Evaluating IPv6 Adoption] [IPv6
Brokenness]. Thus, in an example Internet Service Provider (ISP)
network of 10 million users, approximately 7,800 of those users may
experience such impaired access.
At a minimum, these sorts of statistics need to be normalized across IPv6
users/traffic, given how small a percentage that is in total users and total
traffice. If that's what is meant it should be stated. If it isn't, the
statistic should be recalculated.
[JL] Not sure what you mean… I'm simply citing a statistic shared by a major
website, which appears to be based on a very large set of users from around the
world (from many networks). I agree it is a small percentage (and it appears to
be shrinking — to be confirmed on World IPv6 Day). One of the reactions to the
practice is often that it is a lot to go through for such a small percentage of
users. Of course, it is now also apparent that the –03 did not adequately
summarize all of the motivations for the practice and so the –04 update will
list some additional ones relating to the desire to incrementally add IPv6
traffic, gradually mature IPv6 routes and operational procedures, etc. So it is
my hope that a fuller picture of the motivations will emerge in the –04 update.
As a result of this impairment affecting end users of a given domain,
a few major domains have either implemented DNS whitelisting or are
considering doing so [NW-Article-DNS-WL] [IPv6 Whitelist Operations].
How or why does whitelisting affect slow performance for these folk?
[JL] If an end user has an IPv6-related impairment, they may only have an IPv4
address but the mere fact of seeing a AAAA RR response will cause them to have
no access or very slow access (waiting through various client timeouts, which
most users will not do) to the FQDN that had a AAAA RR. So in such cases,
whitelisting is used so that these impaired users never see the AAAA RR in the
response.
When implemented, DNS whitelisting in practice means that a domain's
authoritative DNS will return a AAAA resource record to DNS recursive
resolvers [RFC1035] on the whitelist, while returning no AAAA
resource records to DNS resolvers which are not on the whitelist. It
Oh. The whitelisting is for resolving a conflict between AAAA and A record
choices?
Normally, the term 'whitelisting' is used to refer to bypass anti-abuse
mechanisms. This appears to be for something else and it seems odd to call it
whitelisting.
[JL] You are now up to a +3 on illustrating this point. ;-) I'm going to stop
counting now, because you are getting too good it it. In all seriousness, I
have recorded this as one of the main open issues to be sorted out on the draft
with the WG chairs. (And as you know I'm quite familiar with it's usage in the
email area.) :-)
Note the more typical use of the term:
<http://www.dnswl.org/>
<http://en.wikipedia.org/wiki/DNSBL>
<http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_USING_DNS_whitelists_OVER.html>
It appears that some v6 folks have chosen to co-opt a distinctive and very well
established anti-abuse term for an entirely different purpose.
[JL] BTW, don't shoot the messenger! ;-) I'm just documenting what's the
current term being used.
is important to note that these major domains are motivated by a
desire to maintain a high-quality user experience for all of their
users. By engaging in DNS whitelisting, they are attempting to
shield users with impaired access from the symptoms of those
impairments.
Critics of the practice of DNS whitelisting have articulated several
concerns. Among these are that:
o DNS whitelisting is a very different behavior from the current
practice concerning the publishing of IPv4 address resource
records,
o that it may create a two-tiered Internet,
o that policies concerning whitelisting and de-whitelisting are
opaque,
Livingood Expires August 26, 2011 [Page 5]
Internet-Draft IPv6 AAAA DNS Whitelisting Implications February 2011
o that DNS whitelisting reduces interest in the deployment of IPv6,
Well, it certainly suggests that there is a problem handling v4/v6 in dual stack
environments cleanly. And it certainly seems that dealing with the underlying
problem would be better.
Beyond that, this appears to be a hack that is useful but not scalable.
[JL] I believe even the implementers agree with you there. I think it was Vint
to may have called this useful "temporary scaffolding" but conceded that it
really doesn't scale over the long-term.
o that new operational and management burdens are created,
well, yeah...
o and that the costs and negative implications of DNS whitelisting
outweigh the perceived benefits, compared to fixing underlying
impairments.
This document explores the reasons and motivations for DNS
whitelisting. It also explores the outlined concerns regarding this
practice. Readers will hopefully better understand what DNS
whitelisting is, why some parties are implementing it, and what
criticisms of the practice exist.
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf