To:
dnsop@cafax.se
From:
Paul Vixie <vixie@vix.com>
Date:
28 Apr 2003 05:58:21 +0000
In-Reply-To:
<D4C25FFA-7939-11D7-A953-000393DB42B2@nominum.com>
Sender:
owner-dnsop@cafax.se
User-Agent:
Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
Subject:
Re: draft-ietf-dnsop-serverid-01.txt
david.conrad@nominum.com (David Conrad) writes: > On Sunday, April 27, 2003, at 09:33 PM, Randy Bush wrote: > > > ... what i really need to know is the unique identity of the server > > who gave me the result i just received in response to a 'normal' query. > > this is especially needed in an environment where servers may be > > anycast. this may be an edns thing. it would be pretty easy to use edns to solicit/carry a server identity blob but in thinking about this i've been unable to determine what that would have to look like. answering nameserver's hostname might not be fully qualified, answering nameserver host addresses might not have working PTR, so putting a hostname blob in won't work. the nameserver service address might be NAT'd, and in addition, might be the same as a local rfc1918 address nearby the initiator, so, putting a host address blob in won't work. if one assumed the existence of an 802.3 48-bit address (ethernet, fddi, etc) and further assumed that these were universally unique, then one could put one or more of these (a host might be have more than one attached interface) into an edns blob... but it would not help the initiator to do anything except know that two responses had come from the same distant, yet anonymous, nameserver. and it could be spoofed for anti-security reasons. all of this stuff would be subject to middlebox corruption, either by middleboxes who chose to change it when they shouldn't, or chose not to change it when they should, or change it in wrong (or even evil) ways. in other words, before we can decide how to encode or solicit or carry nameserver identity, we have to decide the conceptual meaning of identity as applied to nameservers. if i loadbalance by running two processes on a dual-processor system, but they respond to the same address/port combos even though each one could have its own configuration, how many identities do i have? that sort of thing. -- Paul Vixie #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.