To:
Keith Moore <moore@cs.utk.edu>
cc:
Jim.Bound@nokia.com, seamus@bit-net.com, users@ipv6.org, dnsop@cafax.se, ngtrans@sunroof.eng.sun.com
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Thu, 25 Jan 2001 16:26:22 +0700
In-reply-to:
Your message of "Wed, 24 Jan 2001 09:03:03 EST." <200101241403.JAA06375@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Re: IPv6 dns
Date: Wed, 24 Jan 2001 09:03:03 -0500 From: Keith Moore <moore@cs.utk.edu> Message-ID: <200101241403.JAA06375@astro.cs.utk.edu> | What would be rational is for the complete address to be updated | at the primary server for the zone and propagated from there to | secondaries, caches, etc. Unless you mean just using AAAA, or using only A6 0 (ie: some person updates the address at the primary server, just like they do an A record), how is the primary server supposed to sign this new record it has formulated? Remember that one of the scenarios for use of DNSSEC (not necessarily one everyone will use, but one that has to be supported), is for the zone file to be written to demountable media (floppy, zip, tape, ...) and carried to a 100% isolated system, signed there, written (along with the DNSSEC records generated) back to the magnetic media, and physically carried back to the nameserver. All that is a little difficult for a DNS server to accomplish all by itself. | With A6, | the various parts of an address arrive by different paths and | there is a greater potential not only for delay and failure, but | also for incorrect information that is not detected by the "locals" | for that address. Yes. There are trade offs involved here. Once again, what is needed is for some experimentation with the things, so we can see how well (and in fact, if) they work well enough to use, and less theorising about how they cannot possibly work... kre