Suppose that view is on a per-device basis rather than per server? With something like environment variables in front of "classic" DNS resolution in the host resolver...
- Ralph On Mar 11, 2012, at 11:43 AM 3/11/12, Jim Gettys wrote: > On 03/11/2012 11:25 AM, Ted Lemon wrote: >> On Mar 11, 2012, at 11:03 AM, Jim Gettys <[email protected] >> <mailto:[email protected]>> wrote: >>> I think there is an interesting question of whether interior *names* >>> should be automatically published into the global DNS by default or >>> not, which will depend on the security of the devices and systems and >>> the users' expertise, if only to make it a bit harder for attackers to >>> discover interior systems to attack (since with IPv6 finding them by >>> brute force address space search is relatively hard). >> >> Doesn't making the zone non-enumerable and disabling zone transfers >> address this problem? I guess you could still do a dictionary attack >> on the zone and decrease the cost of the search somewhat in the usual >> case, but it's a pretty sketchy way to try to start an attack. >> Having said that, I think it's probably fine to disable propagation of >> the zone by default, except that then we have to figure out what to >> name the non-propagated zone, and how to deal with the transition from >> non-propagated to propagated. >> > > Had been thinking more along the line of the multiple "view" stuff in > bind; there would be/is already a public view, and then a private view > only visible internally. > - Jim > _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
