Op 26 okt. 2012, om 02:33 heeft Lorenzo Colitti het volgende geschreven: > On Fri, Oct 26, 2012 at 1:08 AM, RJ Atkinson <[email protected]> wrote: > I'm not comfortable with overloading a routing > protocol for use as a DNS transport mechanism. > > Sorry, I didn't mean "routing protocol". I meant "Homenet DNS Information > Distribution Protocol" (HIDP). I would expect a useful way to carry HIDP > would be using the homenet routing protocol which the homenet needs to > implement anyway, but other implementations such as global IPv6 multicast, > its very own DHCPv6 option, SMTP between homenet devices, or carrier pigeon > are possible and encouraged. After all, this is the IETF: there's always more > than one way of doing things, and at least one of them is always a DHCPv6 > option. > > But seriously: why are you not comfortable with this idea? We need a routing > protocol for the homenet anyway. A link-state routing protocol can carry > multiple TLVs, including TLVs for DNS servers. Routing protocols can be > authenticated. The devices that need to propagage DNS are likely going to be > home routers. Why not use the routing protocol? Because we need this info in all nodes. I'm not sure we shall have interactions between hosts and the routing protocol.
> > I'm also nervous about both DNS authorisation > and DNS authentication. Who is allowed to make > which DNS advertisements and how do I authenticate > the received DNS advertisement as both valid and > authorised ? > > I don't see a difference. There is no authorization or authentication today. > When you get a DNS server via DHCP, you believe it, or choose not to believe > it, based on no information at all. If there's a rogue DHCP server on the > link that hands you a rogue DNS server, then guess what, you lose. The only > thing that would change here is that you would use HIDP to distribute that > information more than one hop away. Whatever mechanism that you want to use > to authorize and authenticate DNS servers can be used regardless of whether > you learn them via HIDP or via DHCP. > > (NB: With ordinary DNS, the answer is DNSsec. > With mDNS, DNSsec also probably can work.) > > Surely there is some alternative approach that > doesn't require such overloading and complexity. > > Well, let's see. You have an ISP that hands you a DNS server using DHCPv6. > You're also connected to a walled garden that hands you a global but > partitioned IPv6 address that can only reach the walled garden, and gives you > its own DNS server. You want things to work more than one hop away. How would > you implement this? BRDP. Teco. > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
