To:
Erik Nordmark <Erik.Nordmark@Sun.COM>
cc:
john.loughney@nokia.com, <tjc@ecs.soton.ac.uk>, <ipng@sunroof.eng.sun.com>, <dnsop@cafax.se>
From:
Pekka Savola <pekkas@netcore.fi>
Date:
Wed, 19 Mar 2003 22:58:41 +0200 (EET)
In-Reply-To:
<Roam.SIMC.2.0.6.1048106485.9349.nordmark@bebop.france>
Sender:
owner-dnsop@cafax.se
Subject:
RE: dns discovery for agenda? [Re: chairs and charter]
On Wed, 19 Mar 2003, Erik Nordmark wrote:
> > Perhaps I'm naive but "implementation-specific" would be good enough for
> > me.
> >
> > Consider the case with IPv4. You've manually configured a couple of DNS
> > servers, then run DHCPv4 to get an address and DNS servers.
> >
> > Do you have to specify how to handle the case?
> >
> > The latest wins.
>
> The reason this example is naive (well, you asked :-)
> is when DNSSEC is used the client might have a trust relationship with
> a particular DNS server (aka recursive resolver) and a secure channel
> to that resolver. In that case you clearly don't want to replace
> that manually configured DNS server with the ones the DHCP server tells
> you to use.
As an operator and a user, this case seems trivial: if I know some
server(s) are special, I will configure them, and *disallow* any other
mechanism from tampering with DNS configuration. Such toggles typically
exist in the implementations, and if they don't, I'll switch the
implementation.
This kind of possibility may require some minor wording ("SHOULD/MUST be
configurable") when specifying autoconfiguration mechanisms, but that
shouldn't be a problem.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.