Re: (ngtrans) Re: IPv6 dns

[Keith Moore <moore@cs.utk.edu>]

>   | What would be rational is for the complete address to be updated
>   | at the primary server for the zone and propagated from there to
>   | secondaries, caches, etc.
> 
> Unless you mean just using AAAA, or using only A6 0 (ie: some person
> updates the address at the primary server, just like they do an A
> record), how is the primary server supposed to sign this new record it
> has formulated?

practically speaking, renumbering is a LONG way from being automatic,
even with A6, mods to DHCP, etc.  you still have firewall access control 
lists to update, for example.  manually re-signing the zone is just one 
more thing.

but even if you use A6 with nonzero prefix lengths, how do you verify
the authenticity of any DNSSEC signed record?  it's not sufficient 
to verify that they were signed by whom they say they were signed -
you also need to verify that those people had the authority to make
assertions about that prefix and that portion of DNS name space.
I won't say that you can't work out a way of doing this with DNSSEC,
but I will claim that the number of additional records that you need 
to do this (beyond just the chain of A6 records) makes it prohibitive  
in all but extreme cases.

>   | With A6,
>   | the various parts of an address arrive by different paths and
>   | there is a greater potential not only for delay and failure, but
>   | also for incorrect information that is not detected by the "locals"
>   | for that address.
> 
> Yes.   There are trade offs involved here.   Once again, what is needed
> is for some experimentation with the things, so we can see how well (and
> in fact, if) they work well enough to use, and less theorising about how
> they cannot possibly work...

when you can predict the limitations of A6 using engineering analysis,
expreimentation on a live population doesn't seem necessary.

Keith