<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Nov 30, 2023, at 11:59 AM, Matt Larson <<a href="mailto:matt.larson@icann.org" class="">matt.larson@icann.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On Nov 29, 2023, at 1:54 PM, Casey Deccio <<a href="mailto:casey@deccio.net" class="">casey@deccio.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><span style="caret-color: rgb(0, 0, 0); font-family: HelveticaNeue; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">This
is why I was suggesting a few calls ago that if the user experience is the same for (2) and (3), why don't we just skip to (3), so we also get better data?</span></div>
</blockquote>
</div>
<br class="">
<div class="">(i.e., skipping controlled interruption and going directly to reject all)</div>
<div class=""><br class="">
</div>
<div class="">The user experience between (2) and (3) might be the same (or essentially the same), but to channel Jeff Schmidt, </div></div></div></blockquote><div><br class=""></div><div>Well-channeled! :)</div><br class=""><blockquote type="cite" class=""><div class=""><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">there is notification value in the returned value of 127.0.53.53 for those administrators who investigate a failure, see that IP address,
and do a Google search.</div></div></div></blockquote><div><br class=""></div><div>Yes! Although, I have several thoughts on this.</div><div><br class=""></div><div>(Please accept my apologies. I'm going to shamelessly include quotes from previous messages sent to the mailing list...)</div><div><br class=""></div><div>1. The Brand of 127.0.53.53</div><div><br class=""></div><div>"... 127.0.53.53 is a thing. But it is a thing for the very small population of Internet users that were affected by name collisions during the past eight or so years. By referring to the population as "small", I'm not saying that those effects are insignificant (particularly to those that experienced them) or that we needn't care about those or any future collisions. But this simply is not a universal thing; only those that were 1) somehow associated with it or 2) affected by it, have had any need to know anything about 127.0.53.53. Why would anyone else need to know or care?" [1]</div><div><br class=""></div><div><div class="">"... while 127.0.53.53 does now has a decade of experience, what does that really mean?</div><div class=""><br class=""></div></div><div>"... Does [this] mean that a new signaling method would now be confusing or that someone might rule out name collisions if they see an address other than 127.0.53.53? Let me suggest that an individual or org that has experienced name collisions (and fixed the problem) will likely not experience it again (though possible). And for a first-timer, does it really matter what the signal used to be?" [2]</div><br class=""><br class=""><div>2. Search Methodology</div><div><div class=""><br class=""></div><div class="">"... I don't doubt that searching the Web for an IP address is a thing. But one of the challenges of the controlled interruption IP address -- and in fact the very reason that they *had* to search the Web -- was because they couldn't use any of the other, more common tools that have been available *much longer* than controlled interruption -- like Whois and reverse DNS (in-addr.arpa and ip6.arpa). As a network operator, vulnerable Jedi sysadmin, and network researcher, Whois and reverse DNS (e.g., "dig -x") have always been my go-to tools, way before a Web search." [1]</div><div class=""><br class=""></div><div class="">"... While 127.0.53.53 has s decade of experience, sysadmins have been using other tools a lot longer and in other situations, including reverse DNS. nslookup (or dig -x) can easily be used to issue a reverse lookup on an IP address--something that could not be done with 127.0.53.53." [2]</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">3. Analysis of Usage of 127.0.53.53</div><div class=""><br class=""></div><div class="">"There is clear evidence that "127.0.53.53" is being found. In addition to the NCAP Study 1 and the JAS "Phase 2 report", the root cause analysis report also discusses this in sections 4.4 (Root Cause Identification of Name Collisions Reports) and 5 (Web Search Results Analysis). However, these data points are biased because they don't tell us anything about those that experienced collisions and did *not* observe 127.0.53.53. That was the point of the survey. Nonetheless, I do not believe that either of these results can or should be looked at in isolation. There are a lot of Web results, but they are biased. The survey results are not biased (at least not in the same way) - but they are fewer. Both data sets need to be considered!" [3]</div><div class=""><br class=""></div><div class="">"It appears that most of the ineffectiveness [in root cause identification] was due to the controlled interruption IP address not even being observed, which occurred in 71% of cases, according to the survey. However, when the controlled interruption IP address was observed, the success rate in identifying ICANN and controlled interruption as the cause was between 50% and 76%, according to the survey results and the Web search results analysis, respectively." [4]</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">4. Proposals for Whois and Reverse DNS</div><div class=""><br class=""></div><div class="">In connection with the suggestion above that reverse DNS could work, here is a proposal for how the reject-all DNS would work:</div><div class=""><br class=""></div><div class="">Zone for the TLS suffix example:</div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">------------</span></div><div class="">*.example. IN A 192.0.2.1</div><div class=""><br class=""></div><div class="">Zone for 2.0.192.in-addr.arpa:</div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">------------</span></div><div class="">1.2.0.192.in-addr.arpa. IN PTR <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><a href="http://there-is-a-problem-with-your-dns.please-visit.name-collisions.icann.org" class="">there-is-a-problem-with-your-dns.please-visit.name-collisions.icann.org</a>.</span></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br class=""></span></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">Zone for <a href="http://icann.org" class="">icann.org</a>:</span></div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">------------</span></div><div class=""><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class=""><a href="http://there-is-a-problem-with-your-dns.please-visit.name-collisions.icann.org" class="">there-is-a-problem-with-your-dns.please-visit.name-collisions.icann.org</a>. IN A 192.0.2.2<br class=""><a href="http://please-visit.name-collisions.icann.org" class="">please-visit.name-collisions.icann.org</a>. IN A 192.0.2.2<br class=""><a href="http://name-collisions.icann.org" class="">name-collisions.icann.org</a>. IN A 192.0.2.2<br class=""></span></font></div><div class=""><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class=""><br class=""></span></font></div><div class=""><font color="#000000" class="">192.0.2.1 is the server that actively rejects all incoming TCP communication attempts.</font></div><div class=""><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class="">192.0.2.2 is a Web server that hosts information on name collisions.</span></font></div><div class=""><font color="#000000" class=""><span style="caret-color: rgb(0, 0, 0);" class=""><br class=""></span></font></div><div class=""><font color="#000000" class="">Similarly, IP address block and/or ASN used could be registered with a special Whois entry.</font></div><div class=""><br class=""></div></div></div><div><blockquote type="cite" class=""><div class=""><div style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class="">
</div>
<div class="">The other thing that controlled interruption has going for it was that we’ve already used the technique many times and it didn’t break the Internet.</div></div></div></blockquote><div><br class=""></div>I cannot argue with this one. :)</div><div><br class=""></div><div>However, let me say that I am not opposed to controlled interruption. I think it's a relatively safe option, with which we have some experience -- and frankly the only experience related to name collisions. However, given these other considerations, I don't know that that experience alone sets the bar so high that another methodology that gets us much more value could not be preferred. Based on the fact that we had so little visibility in the last round, I think the value of the data logged in the reject-all proposal is too high to ignore.</div><div><br class=""></div><div>I know that we're trying to reach consensus, and I know that part of the reason we are ending up with a "toolbox" is that there have been longstanding disagreements, so consensus looks more and more like name collisions smorgasbord. And I also know that others (maybe all others) won't agree with me on this. And that's okay. I just want to make sure that I'm communicating my thoughts effectively.</div><div><br class=""></div><div>Casey</div><div><br class=""><br class="">[1] <a href="https://mm.icann.org/pipermail/ncap-discuss/2023-August/001233.html" class="">https://mm.icann.org/pipermail/ncap-discuss/2023-August/001233.html</a><br class="">[2] <a href="https://mm.icann.org/pipermail/ncap-discuss/2023-March/001132.html" class="">https://mm.icann.org/pipermail/ncap-discuss/2023-March/001132.html</a><br class="">[3] <a href="https://mm.icann.org/pipermail/ncap-discuss/2023-March/001130.html" class="">https://mm.icann.org/pipermail/ncap-discuss/2023-March/001130.html</a><br class="">[4] Root Cause Analysis Report. <a href="https://docs.google.com/document/d/1YSvdH9Slws0iW3e6yoS04s5zANBnyMMFn9DUNE19fkg/edit?usp=sharing" class="">https://docs.google.com/document/d/1YSvdH9Slws0iW3e6yoS04s5zANBnyMMFn9DUNE19fkg/edit?usp=sharing</a><br class=""></div></body></html>