To:
Erik Nordmark <Erik.Nordmark@Sun.COM>
cc:
john.loughney@nokia.com, <tjc@ecs.soton.ac.uk>, <ipng@sunroof.eng.sun.com>, <dnsop@cafax.se>
From:
Pekka Savola <pekkas@netcore.fi>
Date:
Wed, 19 Mar 2003 22:58:41 +0200 (EET)
In-Reply-To:
<Roam.SIMC.2.0.6.1048106485.9349.nordmark@bebop.france>
Sender:
owner-dnsop@cafax.se
Subject:
RE: dns discovery for agenda? [Re: chairs and charter]
On Wed, 19 Mar 2003, Erik Nordmark wrote: > > Perhaps I'm naive but "implementation-specific" would be good enough for > > me. > > > > Consider the case with IPv4. You've manually configured a couple of DNS > > servers, then run DHCPv4 to get an address and DNS servers. > > > > Do you have to specify how to handle the case? > > > > The latest wins. > > The reason this example is naive (well, you asked :-) > is when DNSSEC is used the client might have a trust relationship with > a particular DNS server (aka recursive resolver) and a secure channel > to that resolver. In that case you clearly don't want to replace > that manually configured DNS server with the ones the DHCP server tells > you to use. As an operator and a user, this case seems trivial: if I know some server(s) are special, I will configure them, and *disallow* any other mechanism from tampering with DNS configuration. Such toggles typically exist in the implementations, and if they don't, I'll switch the implementation. This kind of possibility may require some minor wording ("SHOULD/MUST be configurable") when specifying autoconfiguration mechanisms, but that shouldn't be a problem. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.