To:
"David R. Conrad" <david.conrad@nominum.com>
cc:
"D. J. Bernstein" <djb@cr.yp.to>, ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Keith Moore <moore@cs.utk.edu>
Date:
Tue, 07 Aug 2001 21:30:57 -0400
In-reply-to:
Your message of "Tue, 07 Aug 2001 17:31:59 PDT." <5.0.2.1.2.20010807172339.0301adb0@localhost>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Joint DNSEXT & NGTRANS summary
> P.S. Sorry if this is considered heretical. I don't think it's heretical at all. I don't take it as an absolute that people would inherently rather renumber than use NAT, but I think it's reasonable to assume that large numbers of people will follow the path of least resistance, or perhaps, of least apparent risk. If at the time the decision is made, NAT looks easier than renumbering, that's what they'll do. So if we want to avoid NAT in IPv6, we need to make renumbering *much* easier than it is now. Problem is, A6 in its current form doesn't really do this. Even if it works as advertised, A6 only addresses one of many aspects of renumbering. And DNS is almost certainly not the mechanism that you want to use to advertise address changes in your local network. And people have a difficult enough time configuring SOA, NS, A, CNAME, PTR and MX records correctly, without having to also sort out A6 and DNAME. To me it appears that A6 could actually increase the difficulty of renumbering without disruption. OTOH, I can see how A6 (or some subset thereof) might end up being part of an overall renumbering strategy. For instance, I can see how a DNS-like identifier might be assigned to name the set of global address prefixes by which a given network might be reached, and how a DNS server for a domain might want to act as a cache for those name-to-prefix bindings, and how those bindings might be suitably represented by A6 records. I can even see how it might be desirable to expose those A6 records outside of your local net if you are signing your records with DNSSEC. I can also see how it would be desirable to just sign the AAAA records. The presumption behind A6 seems to be that the party who signs your prefix record is likely to be different than the party who signs the suffixes. I don't buy that at all, because I believe that renumberings, no matter how easy they become, are still going to need to be explicitly managed events. You don't want your ISP asserting that you have a new prefix before your firewalls, routers, hosts, and applications know how to deal with it. Re-signing the records in a zone is the least of the problems that must be solved in order to do the renumbering. Keith