To:
Randy Bush <randy@psg.com>
Cc:
Havard Eidnes <he@runit.no>, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
"Perry E. Metzger" <perry@wasabisystems.com>
Date:
19 Jan 2001 18:53:29 -0500
In-Reply-To:
Randy Bush's message of "Fri, 19 Jan 2001 14:44:06 -0800"
Sender:
owner-dnsop@cafax.se
Subject:
Re: IPv6 dns
Randy Bush <randy@psg.com> writes: > >> bad aim. the worry is not AAAA and A6 RRs. it is bogus NS RR > >> for the root zone. > > In what way will actual AAAA or A6 records for root zone hosts be > > "bogus"? > > again, lack of specifics of a test plan don't make answering ANY questions > easy. As a trial balloon, lets assume the strawman I mentioned earlier: pending a feeling of operational stability about Bind 9, selected operators of root name servers deploy (officially) parallel machines running v6 transport serving ".". Once Bind 9 is judged stable, the machines can be "merged" again -- separate hardware is just a check against problems with Bind 9 during shakedown. We also assume the v6 machines would be treated as "first class citizens" -- the only reason for the caution is the newness of the software causing a desire for a safety measure, not a notion that these are "experimental" machines. We further assume that no root server machines return AAAA or A6 records for machines serving "." unless it gets queried over v6 transport, in order to minimize the "can't fit in a datagram" issue. > but once again and again and again and again ... > > o if you deploy a rogue root server What I am proposing are in no way rogue servers -- they're quite legitimate, run by the same folks, storing the same data, and eventually being (in fact) the same machines. > o its ip address will be cached in other servers ...which is okay since they're real servers with perfectly fine data... > o and one or more of those servers may indirectly pass that additional data > to deployed v4 binds that are quite vulnerable to cache poisoning ...but it is only cache poisoning if the data is inaccurate and in this instance, it isn't. > and yes, that is old vulnerable software and should be updated. Vulnerable to *what* though. We've spoken of the danger of bad data flowing through the system but none of the data we are talking about is bad. > this is just one worry about one *rumored* experiment. You're speaking probably of the notion of the Viagenie test root server running v6. I'd like to get beyond that for now and to the wider issue of deploying real v6 transport aware roots, and what the issues there might be. -- Perry E. Metzger perry@wasabisystems.com -- Quality NetBSD CDs, Support & Service. http://www.wasabisystems.com/