This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Previous message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Next message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Wed Jun 16 11:54:43 CEST 2010
On 16 Jun 2010, at 07:56, Kostas Zorbadelos wrote: > Of course IPv6 produces a totally different world in many > things and I guess reverse DNS is one of them. +1 > Although reverse DNS is used as a weak authentication mechanism today > (if it can be characterized like that) it is not the only use. It is > very > convenient to see names instead of ugly IPv6 addresses in log files > for > instance. I tend to agree. Though a cost/benefit analysis tends to suggest this convenience might not be worth the pain. > Now DDNS is another thought. Can you imagine that working however in > an > environment of multi-million mobile and consumer devices powering up > often, > in a secure and scalable way? I find it a challenge, though never say > never :) I imagine all sorts of things and you probably don't want to know what goes on inside my head. Really. :-) You're right to say that provisioning IPv6 PTR records for bazillions of edge devices is "challenging". In some cases it might not be worth the effort. [Would anyone care if the beer cans in my fridge had hostnames or if they got renumbered once I'd drunk them?] I think that was part of the argument that was being made about not bothering with PTRs for IPv6 addresses. Particularly for stuff that had transient or rapidly changing connectivity. >> My personal preference would be to delegate the /80 (or whatever) to >> the end-user/customer and leave them to choose how to provision that >> zone. [Your mileage may vary...] This might work fairly painlessly >> with the tcp-self and 6to4-self hooks to the update-policy{} clause >> in >> BIND 9.7. Though that's still messy. It also relies on well-behaved >> clients which is perhaps unwise. > > The hooks you are referring to in BIND are DDNS stuff? Yes. The tcp-self and 6to4-self hooks allow clients to change the PTR for their own IPv6 address without needing a TSIG or other crypto token. The dynamic updates have to be made over TCP though. > The provider can populate and maintain this space prety much as it > does today. Consider home equipment, PCs with Windows 7 or any other > operating system with similar behaviour, which as we noticed, apart > from the > autoconfiguration address, produce random IPv6 addresses used in > outgoing > connections that change every couple of hours or so. > > Add to all that some DNSSEC sugar ;-) Yes. It's delightful, isn't it? The plug and play semantics of IPv6 pretty much force us down the road of DDNS for forward and reverse lookups if name<->address mappings matter. That in turn makes DNSSEC "interesting".
- Previous message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Next message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]