[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AXFR "clarify"

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: AXFR "clarify"
From: Dean Anderson <dean@av8.com>
Date: Tue, 22 Jan 2008 00:10:44 -0500 (EST)
Cc: namedroppers@ops.ietf.org, <iesg@ietf.org>
In-reply-to: <a06240802c3b56553d900@[192.168.1.106]>
On Thu, 17 Jan 2008, Edward Lewis wrote:

> Here's a work topic I'd like to get moving, something that got 
> stalled almost 5 years ago.

I agree that AXFR clarification is an important subject.

The old draft indeed gives clues as to the ambiguities, but its contents
are completely bogus.  The AXFR protocol should be clarified as widely
implemented, not as it was altered by the Bind companies in 2000-2002.

> With the permission of the chair and working group, I'd like to take 
> stab at rewriting the draft, in the spirit of the wildcard "clarify" 
> document.  

Short version: 

No offense to Ed, but I'd be gravely concerned about having anyone from
UltraDNS/Neustar, ISC or Nominum involved in producing this document.
New author, please.



Long version:

There were many improprieties involving this document and the so-called
"Bind companies"  (ISC, UltraDNS, Nominum) and, Randy Bush, et al.
Neustar/UltraDNS was one of the so-called "bind companies" involving
Paul Vixie's and Rodney Joffe's joint combined business interests.  [I
only recently learned that Vixie and Joffe were partners in a commercial
bulk email operation since about (at least) 1999.  At this time, Vixie
was also be running the MAPS blacklist blocking commercial bulk emailers
competing with Whitehat.  While Vixie originally told the community that
MAPS was non-profit, this charade was abandoned in 2002 when MAPS
announced it was "for-profit".]

Indeed, I frequently cite the AXFR-clarify events of 2002 as an example
of an improper effort by ISC to influence the community with improper
activities. And just recently (this July, 2007) Paul Vixie said he
opposed the document in 2002:
http://lists.arin.net/pipermail/ppml/2007-July/007985.html

  "it wasn't my clarification.  i never supported the draft since RFC
   1034 was quite clear on the matter as far as i was concerned.  which
   is, i think, what IESG ruled during last call.  if some other RFC has
   amended 1034 to cause BIND's behaviour to be noncompliant, please
   point it out.  i can't and won't try to imagine what scheme you
   thought this was part of, or what success or failure of that scheme
   would have meant to you."

I've been meaning to put up a web page on the events of AXFR clarify. To
briefly recount the events for those newcomers:

In about 2000, a draft was submitted to the DNSEXT WG. The working group
was assured that there is no wire change in the document. The WG was
assured that this is just clarifying something that was vague in the
AXFR protocol. These assurances turned out to be false.

There were lots of process shenanigans to rush the document without a
proper review, including a new "SHORT last call", in 2001.  

This document has a lot of Bernstein's substantial objections:
http://ops.ietf.org/lists/namedroppers/namedroppers.2001/msg00549.html
It shows that there is a wire change to the protocol, and gives a
timeline of events to that point.

Then, in 2002, messages from Dr. Dan Bernstein mysteriously began
failing to get to the list. Randy Bush, then WG Chair, repeatedly
published Dr. Bernstein's unsubsription address to the mailing list, and
used an old version of majordomo that was susceptible to forged
unsubscriptions. Email messages from Bernstein to the list were
improperly delayed or even deleted as a "non-subscriber":

http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg01977.html

 "P.S. Out of my twelve messages, the five that were silently discarded
  are exactly the five that I would pick if I were a censor trying to
  bias the DNSEXT decisions in favor of the BIND company. Coincidence,
  right?

  "P.P.S. Bush's mailing-list software doesn't cryptographically confirm
  unsubscription requests. I kept my subscription address private until
  Bush revealed it a few days ago. I'm working on obtaining a 
  subscription through an address that Bush doesn't know is connected to
  me.

[John Levine, a partipant in DNSEXT at that time, recently told people
that unconfirmed unsubscriptions have never been a problem. Levine
is/was also a Board Member of (investor in?) Joffe and Vixie's
Whitehat.com commercial bulk email operation. Levine is also chair of
the Anti Spam Research Group (ASRG). More on Levine at
http://www.av8.net/IETF-watch/People/JohnLevine/index.html]

Numerous other bad things followed, including a challenged consensus
call approving the document.  (Look for subjects with "fraudulent
consensus call" subjects in Namedroppers archives around 2003)

The scheme worked as follows:

1. Bind 9 has code to check for the "old" AXFR scheme, but recognizes
other "clarified" servers. When transferring to Bind 9 (and "clarify"
servers, it uses a different AXFR protocol, the one documented in AXFR
clarify. There is switch code in Bind to detect when to do this.  
[Presumably, there is/was similar code on Nominum and UltraDNS servers,
but I don't have access to their source code.]

2. So next, someone (Nominum) proposes a clarification to the AXFR
protocol definition, and misleads the WG to think that it has no effect
on the wire protocol, and no effect on other implementations.  Anyone
who checks Bind _operation_ (as NANOG did at the time), notices no
problem with AXFR interoperation.

3. Those who know what is coming next (the so-called "bind companies":
ISC, Nominum, UltraDNS) can each change their code to check for
"clarify"/"no clarify".

4. After the IESG approves the new clarified standard, the Bind
companies can then remove the code to check for old AXFR protocol. Once
that is done, AXFR breaks with other vendors DNS servers. Anyone who
checks the documents, says Bind complies with the clarification, and
other servers don't comply with the standard. Too bad for them.

5. The bind companies can now say those other vendors just weren't
reading the standards properly and weren't compatible with the AXFR
protocol. Which is technically true, but not quite honest.

6. And the so-called "bind companies" clean up the DNS nameservice
market.


The scheme was interrupted at step 4 by Dr. Bernstein and, to a small
extent, myself. Retaliation followed on me, too.

Proof of the scheme can found in the changes to Bind 9 code. If there
was no wire change necessary, then Bind 9 would not require a change.  
Conversely, changing Bind 9 proves that ISC, etc knew of the wire change
and deceived the WG.

At one point, Mark Andrews of ISC asserted that AXFR needed to be
changed for IXFR. However, this claim doesn't stand examination: No such
change is necessary for IXFR, and a modified AXFR wire protocol then
wouldn't be compliant with existing implementations of AXFR. If truly
necessary, a standards action would be needed to change the AXFR
protocol for IXFR, with all the incumbent difficulties and transition,
etc. Mark Andrew's claim also contradicts the assurance that no wire
change was present in the AXFR clarify draft. If no wire protocol change
is present in the document, it can't be the necessary justification.

So, I think we need to review this document with great care, and select 
the authors very carefully. 

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   
















--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
Follow-Ups:
- Re: AXFR "clarify"
  - From: "Olaf M. Kolkman" <olaf@NLnetLabs.nl>
- Re: AXFR "clarify"
  - From: Paul Vixie <paul@vix.com>
References:
- AXFR "clarify"
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
Prev by Date: Re: AXFR "clarify"
Next by Date: Re: AXFR "clarify"
Previous by thread: Re: AXFR "clarify"
Next by thread: Re: AXFR "clarify"
Index(es):
- Date
- Thread