To:
Randy Bush <randy@psg.com>
Cc:
Rob Austein <sra@hactrn.net>, dnsop@cafax.se
From:
Johan Ihren <johani@autonomica.se>
Date:
28 Feb 2002 11:13:30 +0100
In-Reply-To:
<E16gJAz-000G7v-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.3
Subject:
Re: Minneapolis - agenda items please.
Randy Bush <randy@psg.com> writes: Hi Randy, > [ again, sorry for the metaphoric 'you' ] Don't worry. You have a strong opinion here. My position is to a large extent to be "opposite Randy", so I accept the consequence of being at the center of your cross-hairs ;-) > > I don't care whether we're on the same planet. I only care whether we > > both claim to be on *the* Internet, and the criteria for that should > > be that we share the namespace. All of it. > > when one of us *chooses* to be behind a partition, they are knowingly > not on the Internet. many consequences flow from that. Yes, this is clear. The question is whether the Internet benefits from you not sharing your view. > > As the v4/v6 transport discussions show, the namespace is really what > > matters to define the Internet. Not shared transport. And therefore > > (almost *by definition*) not identical reachability. > > yup. and when one of us leaves the Internet, the namespace will most > probably be different. I agree it will (obviously this is common today), but I argue it should not unless you can prove to me that this is a *benefit* to the Internet. > i suspect this is the core of our difference. No, it is not. The core is whether this is a DNS problem or an application problem. Unreachability is a fact. Changing the namespace is a *choice*. > i see it as our responsibility to see that v4 and v6 transports are just > different transports on the same interney. They simply cannot be. Not with your definition of "same Internet". I define "same Internet" as "same namespace" (and that will work here). You define it (as I understand) as "1-1 reachability for any given pair of nodes". And while I (very strongly) sympathize with your definition, it simply will not work for the v4/v6 transport case. Of course there will be nodes in the mesh that are unreachable to other nodes, since they share no transport. And I argue that they should still be allowed in the DNS, since although unreachable, they are also unambigous, which should be the determining criteria. > i see it as 'your' responsibility to live with the altered physics when > you, irregardless of transport, *leave* the internet by moving behind > a firm boundary. I have no problem with that responsibility. When I go behind your firewall my Kerberos authetication fails, since you block port 88. An application problem. That's fine. I would however be most disturbed if I couldn't eve look up my Kerberos server, or worst of all, your warped namespace directed me in a new and unwanted direction. Ick! > > I agree to consenting adult part, but I do not agree that split-DNS > > everywhere, as an attempt at painting over the semi-reachability > > problem, minimizes entropy. > > maybe not in the short term. but in the long term, once you go down the > path of accepting chaos, it only gets worse. heat death of internet > predicted. news at eleven. :-) > > > * DNS is about the namespace and it's coherency. > > * The transport layer is about reachability. > > * The application layer is about coping with lack of reachability. > > [ i don't think i buy this last splat ] I'm not claiming that the apps layer is *only* about lack of reachability, of course. My claim is that in the context of reachability, namespace shielding and such that we're discussing, the apps layer *must* be able to cope with unreachability, since you *cannot* shield it entirely. The way DNS helps out is through *redundancy*, not by erasing what is not right now reachable from exactly whereever. Going in that direction lies near-realtime dynamic update of apps services in DNS. And madness. > > By trying to solve this in DNS, couldn't it be that you're working in > > the wrong layer? > > no. i think where we differ is that i really think that when you go > behind a firewall, or something else that changes visibility, you have > left the internet. if you then want to communicate to the internet, > it is your responsibility to compensate for all the wierdnesses which > you have chosen to impose. it should not become everyone else's > problem. > > i am not trying to solve anything in the dns. i am asking you not to > leak your problem *into* the dns. Wrong. The DNS has no problem coping with unreachable nodes in general (let's exclude nameservers for the moment). It is the applications that have problems. And when you, unsuccessfully, try to patch that application problem by recommending that the Internet namespace should be chomped up into lots of almost but not entirely equivalent views you are, indeed, pushing an application problem into the DNS. And, as I've said before: perhaps you should, but then you should do it with open eyes. What do you say about the following statement? Can you agree to this: "It is split-DNS that fragments the DNS, not the semi-reachable stuff by itself" If you can, then I think we're within reach of closure on this topic... > [ btw, i thing this is a useful argument to have. thanks ] Absolutely. Like an appetizer to the upcoming foodfight ;-) Johan