Suppose that view is on a per-device basis rather than per server?

With something like environment variables in front of "classic" DNS resolution 
in the host resolver...

- Ralph

On Mar 11, 2012, at 11:43 AM 3/11/12, Jim Gettys wrote:

> On 03/11/2012 11:25 AM, Ted Lemon wrote:
>> On Mar 11, 2012, at 11:03 AM, Jim Gettys <[email protected]
>> <mailto:[email protected]>> wrote:
>>> I think there is an interesting question of whether interior *names*
>>> should be automatically published into the global DNS by default or
>>> not,  which will depend on the security of the devices and systems and
>>> the users' expertise, if only to make it a bit harder for attackers to
>>> discover interior systems to attack (since with IPv6 finding them by
>>> brute force address space search is relatively hard).
>> 
>> Doesn't making the zone non-enumerable and disabling zone transfers
>> address this problem?   I guess you could still do a dictionary attack
>> on the zone and decrease the cost of the search somewhat in the usual
>> case, but it's a pretty sketchy way to try to start an attack.  
>> Having said that, I think it's probably fine to disable propagation of
>> the zone by default, except that then we have to figure out what to
>> name the non-propagated zone, and how to deal with the transition from
>> non-propagated to propagated.
>> 
> 
> Had been thinking more along the line of the multiple "view" stuff in
> bind; there would be/is already a public view, and then a private view
> only visible internally.
>                        - Jim
> 

_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to