To:
dnsop@cafax.se
From:
Daniel Senie <dts@senie.com>
Date:
Mon, 10 Sep 2001 08:00:01 -0400
In-Reply-To:
<200109101054.GAA08405@ietf.org>
Sender:
owner-dnsop@cafax.se
Subject:
Re: I-D ACTION:draft-ietf-dnsop-dontpublish-unreachable-00.txt
I just read this new I-D, and am not sure it's a "good thing." My concern centers around the draft's assumption that there are two types of environments, public and private, and that it is easy to tell the difference. I worry that with the increased use of policy routing, IPSec and such, we might well find cases where the degree of "publicness" or "privateness" of information is highly dependent on where a particular station is on the Internet, and what its authorizations are. I could imagine, for example, a user authorized to use a mail exchanger which is within the protected realm of a company (yet has a public address which responds only if the remote requests are using IPSec). Should that user be able to find the address of that machine? Arguably so. Today most VPN products alter the DNS server list on workstations to force the use of name servers within a protected zone. This works fine in some cases (where there's a single protected zone being used by a user) but fails miserably when associations are needed with multiple sites. So, while I understand the author's goal, and his frustration with the amount of garbage in zone files, I'm not sure this draft is the answer. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com