To:
ph10@cam.ac.uk
Cc:
dnsop@cafax.se
From:
Simon Josefsson <simon+dnsop@josefsson.org>
Date:
Sat, 06 Oct 2001 18:37:13 +0200
In-Reply-To:
<5.1.0.14.2.20010910074854.039d7720@mail.amaranth.net> (DanielSenie's message of "Mon, 10 Sep 2001 08:00:01 -0400")
Sender:
owner-dnsop@cafax.se
User-Agent:
Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.0.106
Subject:
Re: I-D ACTION:draft-ietf-dnsop-dontpublish-unreachable-00.txt
Daniel Senie <dts@senie.com> writes: > I just read this new I-D, and am not sure it's a "good thing." My > concern centers around the draft's assumption that there are two types > of environments, public and private, and that it is easy to tell the > difference. I worry that with the increased use of policy routing, > IPSec and such, we might well find cases where the degree of > "publicness" or "privateness" of information is highly dependent on > where a particular station is on the Internet, and what its > authorizations are. > > I could imagine, for example, a user authorized to use a mail > exchanger which is within the protected realm of a company (yet has a > public address which responds only if the remote requests are using > IPSec). Should that user be able to find the address of that machine? As a data point for this discussion, consider "mirror.aarnet.edu.au" -- it is a large FTP mirror site, available within Australia only. Should the IP address of the host be published in DNS or not? Is it a "public" or "private" host? (Luckily, the MX's are available outside of Australia though.) Maybe one way forward for the draft would be to only "forbid" officially reserved addresses such as 127/8 or 10/8. But this seems to severely limit (my perceived) goal of the draft, so it might not be what you want. I also doubt that anyone who used those addresses in DNS would care about a BCP saying that they shouldn't.