To:
Keith Moore <moore@cs.utk.edu>
cc:
Jim.Bound@nokia.com, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Thu, 25 Jan 2001 16:26:22 +0700
In-reply-to:
Your message of "Wed, 24 Jan 2001 09:03:03 EST." <200101241403.JAA06375@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Re: IPv6 dns
Date: Wed, 24 Jan 2001 09:03:03 -0500
From: Keith Moore <moore@cs.utk.edu>
Message-ID: <200101241403.JAA06375@astro.cs.utk.edu>
| What would be rational is for the complete address to be updated
| at the primary server for the zone and propagated from there to
| secondaries, caches, etc.
Unless you mean just using AAAA, or using only A6 0 (ie: some person
updates the address at the primary server, just like they do an A
record), how is the primary server supposed to sign this new record it
has formulated?
Remember that one of the scenarios for use of DNSSEC (not necessarily
one everyone will use, but one that has to be supported), is for the
zone file to be written to demountable media (floppy, zip, tape, ...)
and carried to a 100% isolated system, signed there, written (along
with the DNSSEC records generated) back to the magnetic media, and
physically carried back to the nameserver.
All that is a little difficult for a DNS server to accomplish all
by itself.
| With A6,
| the various parts of an address arrive by different paths and
| there is a greater potential not only for delay and failure, but
| also for incorrect information that is not detected by the "locals"
| for that address.
Yes. There are trade offs involved here. Once again, what is needed
is for some experimentation with the things, so we can see how well (and
in fact, if) they work well enough to use, and less theorising about how
they cannot possibly work...
kre