Re: Minneapolis - agenda items please.

[Johan Ihren <johani@autonomica.se>]

Randy Bush <randy@psg.com> writes:

Hi Randy,

> [ again, sorry for the metaphoric 'you' ]

Don't worry. You have a strong opinion here. My position is to a large
extent to be "opposite Randy", so I accept the consequence of being at
the center of your cross-hairs ;-)

> > I don't care whether we're on the same planet. I only care whether we
> > both claim to be on *the* Internet, and the criteria for that should
> > be that we share the namespace. All of it.
> 
> when one of us *chooses* to be behind a partition, they are knowingly
> not on the Internet.  many consequences flow from that.

Yes, this is clear. The question is whether the Internet benefits from
you not sharing your view.

> > As the v4/v6 transport discussions show, the namespace is really what
> > matters to define the Internet. Not shared transport. And therefore
> > (almost *by definition*) not identical reachability.
> 
> yup.  and when one of us leaves the Internet, the namespace will most
> probably be different.

I agree it will (obviously this is common today), but I argue it
should not unless you can prove to me that this is a *benefit* to the
Internet.

> i suspect this is the core of our difference.

No, it is not. The core is whether this is a DNS problem or an
application problem. Unreachability is a fact. Changing the namespace
is a *choice*.

> i see it as our responsibility to see that v4 and v6 transports are just
> different transports on the same interney.

They simply cannot be. Not with your definition of "same Internet". I
define "same Internet" as "same namespace" (and that will work
here). You define it (as I understand) as "1-1 reachability for any
given pair of nodes". And while I (very strongly) sympathize with your
definition, it simply will not work for the v4/v6 transport case.

Of course there will be nodes in the mesh that are unreachable to
other nodes, since they share no transport. And I argue that they
should still be allowed in the DNS, since although unreachable, they
are also unambigous, which should be the determining criteria.

> i see it as 'your' responsibility to live with the altered physics when
> you, irregardless of transport, *leave* the internet by moving behind
> a firm boundary.

I have no problem with that responsibility. When I go behind your
firewall my Kerberos authetication fails, since you block port 88. An
application problem. That's fine. I would however be most disturbed if
I couldn't eve look up my Kerberos server, or worst of all, your
warped namespace directed me in a new and unwanted direction. Ick!

> > I agree to consenting adult part, but I do not agree that split-DNS
> > everywhere, as an attempt at painting over the semi-reachability
> > problem, minimizes entropy.
> 
> maybe not in the short term.  but in the long term, once you go down the
> path of accepting chaos, it only gets worse.  heat death of internet
> predicted. news at eleven. :-)
> 
> > * DNS is about the namespace and it's coherency. 
> > * The transport layer is about reachability.  
> > * The application layer is about coping with lack of reachability.
> 
> [ i don't think i buy this last splat ]

I'm not claiming that the apps layer is *only* about lack of
reachability, of course. My claim is that in the context of
reachability, namespace shielding and such that we're discussing, the
apps layer *must* be able to cope with unreachability, since you
*cannot* shield it entirely.

The way DNS helps out is through *redundancy*, not by erasing what is
not right now reachable from exactly whereever. Going in that
direction lies near-realtime dynamic update of apps services in DNS.

And madness.

> > By trying to solve this in DNS, couldn't it be that you're working in
> > the wrong layer?
> 
> no.  i think where we differ is that i really think that when you go
> behind a firewall, or something else that changes visibility, you have
> left the internet.  if you then want to communicate to the internet,
> it is your responsibility to compensate for all the wierdnesses which
> you have chosen to impose.  it should not become everyone else's
> problem.
> 
> i am not trying to solve anything in the dns.  i am asking you not to
> leak your problem *into* the dns.

Wrong. The DNS has no problem coping with unreachable nodes in general
(let's exclude nameservers for the moment). It is the applications
that have problems. And when you, unsuccessfully, try to patch that
application problem by recommending that the Internet namespace should
be chomped up into lots of almost but not entirely equivalent views
you are, indeed, pushing an application problem into the DNS.

And, as I've said before: perhaps you should, but then you should do
it with open eyes. 

What do you say about the following statement? Can you agree to this:

        "It is split-DNS that fragments the DNS, not the
        semi-reachable stuff by itself"

If you can, then I think we're within reach of closure on this topic...

> [ btw, i thing this is a useful argument to have.  thanks ]

Absolutely. Like an appetizer to the upcoming foodfight ;-)

Johan