Paul Wouters has entered the following ballot position for draft-ietf-dnsop-3901bis-10: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-3901bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I have balloted DISCUSS to have a discussion, but I expect to update my ballot to ABSTAIN. I find this document fails to cater to a proper audience. It is giving some very basic advise (like have v4+v6 and have A+AAAA) but then throws in a whole bunch of complexity where this theoretically could be handled if not done. It is both trying to say "don't think you are smart enough to make things complicated" while also offering some leads on how to make things complicated. It is too complicated for non-experts and not advanced enough to offer BCP material for DNS experts. I feel this document also mixes up the transport of DNS packets and their v4/v6 families, with the query type family (A/AAAA). Eg even if it has no v6 connectivity, it can still resolve AAAA records for ipv4 clients that are dual stack if there are v4 DNS servers in the authoritative NS set. I strongly agree with all raised points of Geof Houston's DNSDIR review which are still not addressed: https://datatracker.ietf.org/doc/review-ietf-dnsop-3901bis-10-dnsdir-telechat-huston-2026-01-08/ Every recursive DNS resolver SHOULD be dual-stack. On the public internet, I believe this warrants a MUST. Just like you MUST have both A and AAAA records in the NS RRset. Hence, a recursive DNS resolver MAY be IPv6-only, if it uses a transition mechanism that allows it to also query IPv4-only authoritative DNS servers, or uses a configuration where it forwards queries failing IPv6-only DNS resolution to a recursive DNS resolver that is able to perform DNS resolution over IPv4. This MAY sounds like a "theoretically, possible, depending on the phase of the moon, could be ipv6-only, but it is extremely complicated to get this done right so you really SHOULD NOT do this". Similarly, a recursive DNS resolver MAY be IPv4-only, if it uses a configuration where such resolvers forward queries failing IPv4-only DNS resolution to a recursive DNS resolver that is able to perform DNS resolution over IPv6. This goes against the earlier "Every recursive DNS resolver SHOULD be dual-stack." precisely for the huge complexity of getting things working properly. Furthermore, a stub DNS resolver has to rely on recursive DNS servers discovered for the local network, We had a whole working group (ADD WG) on using non-local recursive DNS servers, and we have applications doing DoT/DoH to remote DNS servers (eg firefox) so I find this statement questionable. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
