To:
ggm@apnic.net
CC:
Alain Durand <Alain.Durand@sun.com>, dnsop@cafax.se
From:
Aidan Williams <aidan.williams@motorola.com>
Date:
Fri, 28 Jun 2002 11:43:32 +1000
Reply-To:
Aidan_Williams-A15677@email.mot.com
Sender:
owner-dnsop@cafax.se
Subject:
Re: draft-durand-ngtrans-dns-issues-00.txt
ggm@apnic.net wrote:
> >
> > How will it work when the IPv4 address is transient, i.e. DHCP allocated
> > for a short lease (typically less than a day)?
> >
>
> Isn't this the same for any transient address DNS issue? I don't see a
> specific 6 Issue here.
>
The mechanisms are likely the same, but the way they get used will
probably be quite different. Right now mechanisms for doing dynamic
updates of v4 PTR records really aren't required.
The difference does seem to be one of scale. The widespread use of
6to4 could imply a considerable increase in the number of PTR records
for devices that now have global addresses and would now like a global
name->address->name to go with it.
Some options which occur to me are:
- ignore reverse maps as not being particularly useful
(I have some sympathy with this approach)
- wildcard all 6to4 reverse entries as Alain is suggesting
(to me this makes them "not particularly useful", apart from
making various bits of software "work" that probably shouldn't
have been relying on them in the first place)
- make increased use of dynamic updates
which has a whole can of worm with how you manage the trust
relationships (ie keys) to authenticate the updates
IPv6 hosts typically construct their addresses using stateless
autoconfiguration (using their MAC address, or a more random
concoction to increase privacy) and so a DNS server in an ISP doesn't
have a simple way of predicting what that address might be in order to
create a sensible PTR record. Hence you need some kind of dynamic
update...
If the ISP were to enable dynamic updates for reverse maps it would
need to secure them and that probably means authenticating updates
within a 2002:IPv4/48 block to the user/box/system that you gave an
IPv4 address to. If the IPv4 address changes, lots of PTRs
potentially get updated (thats fine).
More importantly, can the trust relationships be made to scale?
In some specific system architectures (cable systems are one I'm
familiar with) bits of equipment (cable modems) are to some extent
trusted within the system. If 6to4 and such existing architectures
can be made to fit comfortably together (I believe they can be with
HFC systems), existing trust relationships may be leveraged to
scalably authenticate the dynamic updating of IPv6 reverse maps.
However, I don't think there is a general answer ..
- aidan