To:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
1 Aug 2001 18:44:27 -0000
Automatic-Legal-Notices:
Copyright 2001, D. J. Bernstein. My transmission of this message to you does not constitute a copyright waiver or any other limitation of my rights, even if you have told me otherwise.
Content-Disposition:
inline
Subject:
Re: Joint DNSEXT & NGTRANS agenda
Robert Elz writes: > For anyone to seriously claim that server side resolution of the > indirection is the way things should be done, and that for some > security or reliability related reason, this cannot be be made to > work, begs credulity. You are, as usual, massively confused. The reliability problems are not caused by the normal anti-poisoning rules. The problems are caused by servers that DO NOT HAVE ALL THE INFORMATION THE CLIENT NEEDS. For example, when a .com server says barclays.com NS ns1.barclays.co.uk, the client has to go look up the ns1.barclays.co.uk address. Is this because the client is protecting itself against poison? No. It's because the .com servers DO NOT HAVE THAT ADDRESS. Server-side indirection means that the server _does_ have the address. In this case, the server can easily use an in-bailiwick name for the address, so the normal anti-poisoning rules once again have no effect. The client avoids the extra lookups and the possibility of loops. The reason I recommend in-bailiwick names within the existing DNS architecture is that those names force the server to collect the address. Putting IP addresses into NS records directly would have the same beneficial effect. Summary: * Good situation: The server has the information. * Bad situation: The server doesn't have the information. The bad situation produces reliability problems. The point of A6 and DNAME is to move from the good situation to the bad situation; this is why I oppose A6 and DNAME. Of course, all of this is already explained on my web page. ---Dan