Re: I-D ACTION:draft-ietf-dnsop-dontpublish-unreachable-03.txt

[Johan Ihren <johani@autonomica.se>]

Robert Elz <kre@munnari.OZ.AU> writes:

>     Date:        Thu, 14 Feb 2002 11:35:22 -0500
>     From:        Daniel Senie <dts@senie.com>
>     Message-ID:  <5.1.0.14.2.20020214113044.041aed90@mail.amaranth.net>
> 
>   | A /24 which is firewalled, and has a name server behind it which is listed 
>   | in the NS records would be every bit the same as a server in RFC 1918 space 
>   | on a private network.
> 
> Almost, but not quite.   A firewalled /n (for any n) is just an unreachable
> server (jno different than a server that is down, or has had its address
> changed without updating the DNS).   Attempting to legislate against any
> of this is attempting to legislate against stupidity, which is just as
> stupid itself.
> 
> On the other hand, rfc1918 addresses, and 127/8 are really uncoordinated
> anycast addresses - they may just be an unreachable address, in which
> case they're not really doing any great harm - but for others they may
> actually direct you to a reachable server (DNS server, web server, e-mail
> server...) which simply has no idea what to do with whatever you're
> attempting, or even worse, believes it does know.
> 
> It is much more important to keep 1918 (etc) addreses out of the DNS
> than any other oddball addresses.

I agree completely with this. 

Reachability is becoming less useful as a criteria even as we speak,
because of the strange and mysterious ways that sites choose to
implement their security. And it was kind of bad from the start, since
DNS already can provide protection against it through redundancy in
the RRsets (i.e. multiple NS, multiple MX, etc).

The key issue is whether the address is ambigous, not if it is
reachable.  And that becomes even more obvious when taking into
account the v4/v6 transport issues.

Regards,

Johan