To:
Shane Kerr <shane@ripe.net>
Cc:
M?ns Nilsson <mansaxel@sunet.se>, dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Thu, 20 Mar 2003 02:29:18 +0100
In-Reply-To:
<20030319105506.GM23292@x17.ripe.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Radical Surgery proposal: stop doing reverse for IPv6.
At 11:55 AM +0100 2003/03/19, Shane Kerr wrote:
> Not strictly true. A pretty good presentation on this was given at
> the IPv6-SIG at APNIC 15:
>
> http://www.apnic.net/meetings/15/sigs/ipv6/docs/ipv6-fujisaki-reverse-dns.pdf
I read this. It doesn't really provide much in the way of
details. It just says it's "hard" and many don't do it, so it
recommends that no one do it.
I'm sorry, I just don't buy this logic.
> This doesn't even cover the tricky issue of how you update the reverse
> securely for home users (the problem here is that the ISP and the home
> have to share a secret somehow, not unsolvable but tricky).
Follow the chain of delegations. Each organization has a
relatively small part of the space to manage, and internally they
handle updates, etc... however they feel best.
Sure, you could provide some tools to help make this easier, more
fully integrating DNSUPDATE with DNSSEC in your DHCPv6 servers, and
providing other tools to automate much of this work for machines with
static IP addresses. But I don't really see how this is any
different from reverse DNS for IPv4.
> For the record, I think ICMP name lookups would solve the problem of
> address-to-name mapping sufficiently for users. I support the
> proposal of no longer doing reverse for IPv6 100%.
Too many sites filter ICMP at the border, and for good reason.
Internally, this may work fine, and may be used to maintain a
database somewhere -- which should probably be in the DNS, because we
know that this solution will work and safely cross borders.
Outside of the local network, I don't see how this could possibly function.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.