In message <[email protected]> Wouter Cloetens writes: > DOn 18/08/12 05:05, Curtis Villamizar wrote: > >>> When a domain registrar is needed is only when the homenet needs or > >>> wants (maybe for ego reasons) a domain residing in a TLD (such as .com > >>> or .org) and would not accept a subdomain from the provider. For > >>> example the homenet user wants foo.com and would not accept something > >>> of the form foo.site.provider.com, which would be less permanet (the > >>> delegation is lost if switching providers). > >> > >> For security reasons documented in one of the drafts above, it should be > >> disabled by default. A user-defined configuration could open the DNS > >> port to the world, and allow additional domains. > > > > I think you missed the point. This is not a security issue. > > Yes, I got your point, but I'm adding an implication. > The draft explains that this requires opening up the gateway's DNS port > to the world, rather than only to the trusted DNS infrastructure of the > provider. That has some security issues.
There is the option for split horzon, but I don't think it should be the default. Having a GUA and not having a DNS name is not a *security* feature. More like paranoia IMHO. Security by obscurity has never worked. > Also, only the provider can give you reverse DNS. The provider can delegate reverse DNS. That is a problem with uncooperative providers. Otherwise accurate rDNS is site local only, but at least it is accurate at the site. > Whereas the provider-delegated domain can be a fully automatic feature, > setting up a personal domain requires the user to do some work. > Registering a domain (could be made simple, from a gateway's web UI), > pointing a nameserver at his gateway (could be automated, DynDNS-style). > It is only logical that a user should also have to disable the secure > default source address restriction of DNS requests. If the user wants no work, the provider delegated subdomain can be reduced to zero work on the part of the customer, and a one time mechanical configuration on the part of the provider at the time that service is initiated (when new customer buys service for first time). Working with a registrar could be made simpler by the registrar, but most homes will never need a *vanity* domain in a TLD. > Nonetheless, it is a perfectly valid use case; the IPv6 functional > equivalent of widely used DynDNS in the IPv4 world today. And, of > course, not every operator may implement the automated domain delegation. It seems that today, getting operators to do anything is difficult. Too bad we have so little competition in Internet service. :-( > bfn, Wouter Curtis _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
