Hi Edward, and thank you for comments.
The current state of multi-homed hosts do use interface specific DNS server
lists, as described in
https://datatracker.ietf.org/doc/draft-ietf-mif-current-practices/
If an interface is chosen before a DNS server there is no problem in selecting
the DNS server... But if the DNS resolution is needed before interface
selection can be made, there is a problem. Especially if the interface
selection would be made based on destination's IP address.
The intent of this draft is to increase situational awareness of the MIF host
in relation to which DNS server to contact to. There are other drafts that
improve source/destination address selection logic (what happens after DNS
resolution).
So from your point of view, it would be best for a host to contact DNS server's
of all interfaces, and then use source/destination address selection to choose
from the resulting list what address to actually use? Meaning you don't see
this problematic:
--
The resolver may optimize its behaviour by sending DNS requests in
parallel to multiple DNS servers of different network interfaces, but
this approach is not always practical:
o It may unnecessary trigger activation of a radio and thus increase
battery consumption.
o It may unnecessarily reveal private names to third parties.
o It may be a privacy issue as it would reveal all names host is
resolving to all DNS servers.
--
Best regards,
Teemu
From: ext Edward Lewis [mailto:[email protected]]
Sent: 15. kesäkuuta 2010 18:49
To: [email protected]; Savolainen Teemu (Nokia-D/Tampere)
Cc: [email protected]
Subject: comments on draft-savolainen-mif-dns-server-selection
At 14:22 +0200 6/15/10, <[email protected]> wrote:
https://datatracker.ietf.org/doc/draft-savolainen-mif-dns-server-selection/
Comments on the draft.
In general, I think that architecturally a host has to treat each interface
somewhat independently and then choose the interface to use for a network
event. That is, the host should not treat all the DNS servers equally
regardless of the which interface they are serving.
You shouldn't choose to use an 802.11 connected DNS server to direct packets on
your wired LAN if the latter also has a DNS server. I am reacting to this
section:
3. DNS server selection procedure
The list of servers should be per interface. Each interface can be contacted
for it's best way to reach the remote end, and the interface that's best ought
to be chosen and the DNS server that is selected has to be one on that
interface.
>DISCUSS: Even more more known problem scenarios caused by split DNS
>for multi-homed hosts?
An indirect reaction. Multihoming isn't a problem for the DNS, it's a problem
for forwarding on the multihomed host. There are good reasons to multihome,
but that's a situation unique to those hosts - and the multihomed machine has
better situational awareness of it's topology than any other device.
> DISCUSS: What about those DNS servers that instead of
> negative answer always return positive reply with an IP address of
> some default HTTP server, which purpose is just to say 'authenticate'
> or 'page not found'? Maybe DNSSEC would help here, i.e. roll through
> DNS servers until one provides a response that can be validated?
This issue is orthogonal to multihoming.
> DISCUSS: When DNSSEC is used, in
> split-DNS case it is probably possible to have authoritative answers
> for both existence and non-existence of a record, depending on the
> interface question is sent on?
Yep. I think this is common. I've seen machines that straddle the firewall
boundary that will be getting the organization-internal zone on one interface
and the organization-external zone on the other. The internal one usually has
more hosts listed, hosts that are not visible externally.
This straddling is not the same as having multiple-media interfaces as
mentioned elsewhere. When straddling a boundary, names will be different by
design. When considering different media (wireless vs. wired) it could be both
are supposed to be open to the internet and hence have the same names.
Finally I'd refer this problem to the issue of: once you have a pool of
addresses for the desired endpoint, which do you choose? The DNS can't help
there, it doesn't know routing. Similarly, the DNS can't distinguish a
multi-homed host from two hosts at different IP addresses, so it's up to the
host to deal with it.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Discussing IPv4 address policy is like deciding what to eat on the Titanic.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
