To:
ggm@apnic.net
CC:
Alain Durand <Alain.Durand@sun.com>, dnsop@cafax.se
From:
Aidan Williams <aidan.williams@motorola.com>
Date:
Fri, 28 Jun 2002 11:43:32 +1000
Reply-To:
Aidan_Williams-A15677@email.mot.com
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-durand-ngtrans-dns-issues-00.txt
ggm@apnic.net wrote: > > > > How will it work when the IPv4 address is transient, i.e. DHCP allocated > > for a short lease (typically less than a day)? > > > > Isn't this the same for any transient address DNS issue? I don't see a > specific 6 Issue here. > The mechanisms are likely the same, but the way they get used will probably be quite different. Right now mechanisms for doing dynamic updates of v4 PTR records really aren't required. The difference does seem to be one of scale. The widespread use of 6to4 could imply a considerable increase in the number of PTR records for devices that now have global addresses and would now like a global name->address->name to go with it. Some options which occur to me are: - ignore reverse maps as not being particularly useful (I have some sympathy with this approach) - wildcard all 6to4 reverse entries as Alain is suggesting (to me this makes them "not particularly useful", apart from making various bits of software "work" that probably shouldn't have been relying on them in the first place) - make increased use of dynamic updates which has a whole can of worm with how you manage the trust relationships (ie keys) to authenticate the updates IPv6 hosts typically construct their addresses using stateless autoconfiguration (using their MAC address, or a more random concoction to increase privacy) and so a DNS server in an ISP doesn't have a simple way of predicting what that address might be in order to create a sensible PTR record. Hence you need some kind of dynamic update... If the ISP were to enable dynamic updates for reverse maps it would need to secure them and that probably means authenticating updates within a 2002:IPv4/48 block to the user/box/system that you gave an IPv4 address to. If the IPv4 address changes, lots of PTRs potentially get updated (thats fine). More importantly, can the trust relationships be made to scale? In some specific system architectures (cable systems are one I'm familiar with) bits of equipment (cable modems) are to some extent trusted within the system. If 6to4 and such existing architectures can be made to fit comfortably together (I believe they can be with HFC systems), existing trust relationships may be leveraged to scalably authenticate the dynamic updating of IPv6 reverse maps. However, I don't think there is a general answer .. - aidan