--On Thursday, May 23, 2013 12:49 +1000 Mark Andrews
<marka(_at_)isc(_dot_)org> wrote:
Asking people to run a nameserver which "responds" to queries
isn't unreasonable by any stretch of the imagination
regardless of their economic circumstances. The nameservers
that people used in the 1980's did this correctly. The
default nameservers on general purpose OS as shipped for the
last 2 decades have done this correctly.
...
Requiring vendors to supply fixes to code that was never "fit
for purpose" regardless of its age is also reasonable.
Mark,
Once more and then I'm dropping out of this discussion. You may
think "requiring... is reasonable". I might even agree with you
and note that such a requirement, if applied to software across
the board and especially if "promptly" were inserted somewhere
in the sentence, would cure many of the world's ills, not just
this problem with the DNS. As a examples that causes even more
visible damage than DNS non-responses, I'd be delighted if every
system and web site that rejects email local-parts with "+" in
them as invalid were "required" to fix those bugs or if every
spammer were "required" to stop doing anything that violates the
letter or spirit of applicable protocols or laws.
Where I have a problem is with "required", especially having the
IETF require it. If you like, write up a draft for a BCP that
would specify eternal damnation to any vendor who gets this
wrong and doesn't release a patch within three months. I
suspect that most of the objections to approval of such a
document would be about how it would make us look silly, not
about whether the vendors deserve it. The difficulties are
that we have no enforcement power at all and that the very
nature of an open Internet and voluntary standards implies that
people can ignore the latter.
I wish every vendor were better behaved but the only steps I can
see that would actually make progress on the problem you are
trying to solve are:
* Removing obstacles to requirements and enforcement where the
latter is really possible. If there is an ICANN barrier to TLDs
requiring working nameservers for names that are delegated,
interpreting "working" as conforming, and enforcing that
requirement, removing it would probably be a good idea, as would
an SSAC statement encouraging the practice in the name of a
stable and secure Internet. (As you probably know, there was a
time when the "show that you have working nameservers first"
rule that Måns mentioned for .SE was pretty much the norm for
TLDs.) But that isn't an IETF problem and this isn't the right
place to discuss it unless you think our approving a document
that says "1035 says don't do this, you really, _really_
shouldn't do this" would accomplish anything other than raising
the stress level between ICANN and the IETF.
* Educational methods to raise vendor awareness of the problem
and that point out that it shouldn't be hard to fix. If you
think flaming a few of them by name or other methods of
education would be appropriate, go to it. As others have sort
of suggested, a few "these packages are broken and their vendors
are clueless and unresponsive" web pages might be interesting --
just see how well ones with similar intent have worked in
stopping spam. Just don't bother doing it here: I not seen a
single posting that disagrees with you about how the DNS is
supposed to work. Few, if any, of the offending vendors are
reading this list and those that are and haven't already rushed
out to fix their products presumably don't care.
* In principle, if any ICANN barriers to voluntary TLD
enforcement were removed, large-deployment DNS software vendors
could follow the model that some web browser applications used
with IDNA: figure out what policies are appropriate for a good
user or operations experience and then arrange to deliver a
really bad experience to those who don't voluntarily comply.
* Governments do have the ability to make rules and enforce
them. I personally believe that legislating conformance to a
government's understanding of Internet protocols would work out
badly but, if you disagree, try it locally and let us know how
it works out. I look forward to reading that Australia has
incarcerated (or, better yet, flogged) a vendor of DNS software
that doesn't conformed to your norms or someone who was
irresponsible enough to run such software.
But, otherwise, hyperbole about "require" is just that:
hyperbole.
best,
john
What is don't see is