Hi, a DHCPv6 option to deliver such kind of information, that is, relation between DNS domain names and DNS servers, is almost baked. https://tools.ietf.org/html/draft-ietf-mif-dns-server-selection-12
Thanks. 2012/10/26 Teco Boot <[email protected]>: > > Op 26 okt. 2012, om 02:33 heeft Lorenzo Colitti het volgende geschreven: > > On Fri, Oct 26, 2012 at 1:08 AM, RJ Atkinson <[email protected]> wrote: >> >> I'm not comfortable with overloading a routing >> protocol for use as a DNS transport mechanism. > > > Sorry, I didn't mean "routing protocol". I meant "Homenet DNS Information > Distribution Protocol" (HIDP). I would expect a useful way to carry HIDP > would be using the homenet routing protocol which the homenet needs to > implement anyway, but other implementations such as global IPv6 multicast, > its very own DHCPv6 option, SMTP between homenet devices, or carrier pigeon > are possible and encouraged. After all, this is the IETF: there's always > more than one way of doing things, and at least one of them is always a > DHCPv6 option. > > But seriously: why are you not comfortable with this idea? We need a routing > protocol for the homenet anyway. A link-state routing protocol can carry > multiple TLVs, including TLVs for DNS servers. Routing protocols can be > authenticated. The devices that need to propagage DNS are likely going to be > home routers. Why not use the routing protocol? > > Because we need this info in all nodes. I'm not sure we shall have > interactions between hosts and the routing protocol. > > >> >> I'm also nervous about both DNS authorisation >> and DNS authentication. Who is allowed to make >> which DNS advertisements and how do I authenticate >> the received DNS advertisement as both valid and >> authorised ? > > > I don't see a difference. There is no authorization or authentication today. > When you get a DNS server via DHCP, you believe it, or choose not to believe > it, based on no information at all. If there's a rogue DHCP server on the > link that hands you a rogue DNS server, then guess what, you lose. The only > thing that would change here is that you would use HIDP to distribute that > information more than one hop away. Whatever mechanism that you want to use > to authorize and authenticate DNS servers can be used regardless of whether > you learn them via HIDP or via DHCP. > >> >> (NB: With ordinary DNS, the answer is DNSsec. >> With mDNS, DNSsec also probably can work.) >> >> Surely there is some alternative approach that >> doesn't require such overloading and complexity. > > > Well, let's see. You have an ISP that hands you a DNS server using DHCPv6. > You're also connected to a walled garden that hands you a global but > partitioned IPv6 address that can only reach the walled garden, and gives > you its own DNS server. You want things to work more than one hop away. How > would you implement this? > > BRDP. > > Teco. > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet > > > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet > _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
