I just read this new I-D, and am not sure it's a "good thing." My concern
centers around the draft's assumption that there are two types of
environments, public and private, and that it is easy to tell the
difference. I worry that with the increased use of policy routing, IPSec
and such, we might well find cases where the degree of "publicness" or
"privateness" of information is highly dependent on where a particular
station is on the Internet, and what its authorizations are.
I could imagine, for example, a user authorized to use a mail exchanger
which is within the protected realm of a company (yet has a public address
which responds only if the remote requests are using IPSec). Should that
user be able to find the address of that machine? Arguably so. Today most
VPN products alter the DNS server list on workstations to force the use of
name servers within a protected zone. This works fine in some cases (where
there's a single protected zone being used by a user) but fails miserably
when associations are needed with multiple sites.
So, while I understand the author's goal, and his frustration with the
amount of garbage in zone files, I'm not sure this draft is the answer.
-----------------------------------------------------------------
Daniel Senie [EMAIL PROTECTED]
Amaranth Networks Inc. http://www.amaranth.com
