On Wed, Sep 25, 2019 at 6:33 PM Joe Abley <[email protected]> wrote: > > On 25 Sep 2019, at 18:18, Warren Kumari <[email protected]> wrote: > > > Yes, the best practice and advice is to choose something random, but > > network engineers are humans too, and if you had to remember and try > > tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1 > > or fd00:1::1 as the default gateway, which would you rather do? > > You could choose something random then give the end-user a DNSSEC-signed DNS > name instead of the address.
That only works once they have a working network, which is why I used the example of "default gateway" and not "browse to fd5a:8109:a679:180a:45d3:d653:22:1". I've seen people encode the building number / floor / VLAN / etc into the network address, when you are configuring a router you almost always enter interface address instead of using DNS, etc. Having a deterministic, and easy to remember address is much much easier at 3AM, I'm less likely to typo fd00:13:1 than fde3:783e:127d: , etc. I personally don't use ULAs / site local, but I fully understand why those who do use easy addresses... > So long as they are using a centralised resolver service with a long enough > privacy policy, a different address family to do the resolution over and the > operating system uses DoH by default, security is guaranteed and end-users > gain the reliability of having large companies responsible for communicating > their local network parameters instead of unreliable local technicians who > are invariably up to no good. All we need is the universal deployment of > IPv6, DNSSEC and DoH. Yup, let me know once that's done and I'll buy you dinner :-P Thanks, W > > > Joe -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
