On Fri, Oct 26, 2012 at 1:08 AM, RJ Atkinson <[email protected]> wrote:
> I'm not comfortable with overloading a routing > protocol for use as a DNS transport mechanism. > Sorry, I didn't mean "routing protocol". I meant "Homenet DNS Information Distribution Protocol" (HIDP). I would expect a useful way to carry HIDP would be using the homenet routing protocol which the homenet needs to implement anyway, but other implementations such as global IPv6 multicast, its very own DHCPv6 option, SMTP between homenet devices, or carrier pigeon are possible and encouraged. After all, this is the IETF: there's always more than one way of doing things, and at least one of them is always a DHCPv6 option. But seriously: why are you not comfortable with this idea? We need a routing protocol for the homenet anyway. A link-state routing protocol can carry multiple TLVs, including TLVs for DNS servers. Routing protocols can be authenticated. The devices that need to propagage DNS are likely going to be home routers. Why not use the routing protocol? > I'm also nervous about both DNS authorisation > and DNS authentication. Who is allowed to make > which DNS advertisements and how do I authenticate > the received DNS advertisement as both valid and > authorised ? > I don't see a difference. There is no authorization or authentication today. When you get a DNS server via DHCP, you believe it, or choose not to believe it, based on no information at all. If there's a rogue DHCP server on the link that hands you a rogue DNS server, then guess what, you lose. The only thing that would change here is that you would use HIDP to distribute that information more than one hop away. Whatever mechanism that you want to use to authorize and authenticate DNS servers can be used regardless of whether you learn them via HIDP or via DHCP. > (NB: With ordinary DNS, the answer is DNSsec. > With mDNS, DNSsec also probably can work.) > > Surely there is some alternative approach that > doesn't require such overloading and complexity. > Well, let's see. You have an ISP that hands you a DNS server using DHCPv6. You're also connected to a walled garden that hands you a global but partitioned IPv6 address that can only reach the walled garden, and gives you its own DNS server. You want things to work more than one hop away. How would you implement this?
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
