To:
"BELOEIL Luc FTRD/DMI/CAE" <luc.beloeil@rd.francetelecom.com>
Cc:
"DNSOP WG" <dnsop@cafax.se>
From:
"Jaehoon Jeong" <paul@etri.re.kr>
Date:
Wed, 25 Jun 2003 06:40:19 +0900
Sender:
owner-dnsop@cafax.se
Subject:
Re: Comments on draft-jeong-***-dns-***.txt
Thanks, Luc, for your important comments.
I'll think over your comments.
----- Original Message -----
From: "BELOEIL Luc FTRD/DMI/CAE" <luc.beloeil@rd.francetelecom.com>
To: "Jaehoon Jeong" <paul@etri.re.kr>
Cc: "DNSOP WG" <dnsop@cafax.se>
Sent: Tuesday, June 24, 2003 5:12 PM
Subject: Comments on draft-jeong-***-dns-***.txt
>
> Hi all,
>
> Those drafts are really interesting, and I have also several comments.
>
> 1- Concerning http://www.paul.6ants.net/data/draft-jeong-hmipv6-dns-optimization-01.txt
> - RDNSS Failure detection, I do think that is necessary but I do not think that is a job for a MAP. IMHO, it should be simpler to have several "recursive DNS resolvers". If one fails the client will try the next resolver in its list.
>
RDNSS failure detection refered to the detection of MAP failure in HMIPv6.
Luc and Scott suggested that the detection in MAP is not helpful.
I'll consider how to modify the part of RDNSS failure detection.
>
> 2- Concerning http://www.ietf.org/internet-drafts/draft-jeong-ipv6-ra-dns-autoconf-00.txt
>
> - I would prefer not to send "DNS option message" in all RA so as to minimize exchanged information.
Yes, I agree.
> - If a DNS server accepts Dynamic DNS update, I would prefer that it does not performs recursive resolution at the same time. IMHO those are different functions that must be separated. I would prefer an option for advertising "Dynamic DNS update capable DNS server" and another one for "recursive DNS resolvers".
In order to allow the DNS updates only to trusted nodes, I think, there is some mechanism to identify the nodes.
It is very difficult to apply the identification mechanism to DNS update operation.
> - It's a good idea to advertise DNS zone suffix. Should'nt it be better to advertise that in a seperate option or more likely in a sub-option ?
Yes, your suggestion is appropriate.
> - Dynamic DNS update seems not to be an autoconfiguration mechanism as someone need to configure "user identifier". Did I miss sthg ?
I intended to include the automatic registration of host DNS name into the DNS autoconfiguration.
> - I would not like to run a DNS server that accepts Dynamic DNS update from untrusted nodes, even if that could help autoconfiguration... We need a secure mechanism but that is really not simple.
Yes, I agree, that is difficult.
I am trying to find out some ways.
I need DNSOP fellows' help.
> - in section 7, I do not understand clearly your point "Like this, DNS server MAY discard some or all DNS messages when being filled with the messages. " To my mind, if DNS server acts like this, it may not answers to some requests, thus that is a DoS attack !?
>
What do you think about, in order to cope with the DoS attack,
it is to apply the discard only to DNS update messages?
Thanks.
/Jaehoon
> I hope that could help,
>
> Luc
>
> #----------------------------------------------------------------------
> # To unsubscribe, send a message to <dnsop-request@cafax.se>.
>
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.