> From: <[email protected]> > Kazunori Fujiwara has implemented a prototype "On the Fly" DNS server which > does not require caching. > http://member.wide.ad.jp/~fujiwara/v6rev.html
Thanks for introducing my prototype implementation. > From: <[email protected]> > In the document draft-howard-isp-ip6rdns-05, a solution to manage the reverse > domain is to dynamically generate PTR when queried ("On the Fly"). > > In the draft, we have the following: > > "This method may not scale well in conjunction with DNSsec [RFC4035], because > of the additional load, but since keys may be pregenerated for zones, and not > for each record, the risk is moderate." > > In normal conditions (i.e. with static DNS zones), signatures are > pre-generated for the whole zone. However if you generate PTR records on the > fly, you must also generate associated signature (RRSIG) on the fly. So IMHO > the impact on performance is important. My code has DNSSEC on the fly signing function. It is very slow because it is written in perl and uses Net::DNS::SEC. You can write special DNS server in C with multi threaded. Recent CPU can perform over 5000 signs / sec (1024bit RSA). (5128 signs/sec, 1024bit RSA, OpenSSL 1.0.1c, SandyBridge 3.2GHz) We can buy 4 or more cores CPU very cheap. Then, the server may serve over 20,000 queries/sec. Traditional DNS server software serves about 20,000 or 100,000 queries/sec. I think there is no performance concerns if you write new DNS server software in C. # new CPUs and OpenSSL 1.0.1 solved performance issues. > From: Mark Andrews <[email protected]> >> The reverse lookup on IPv6 "2a01:c012:3456:789a:bcde:f012:3456:789a" >> gives the following: >> >> # dig -x 2a01:c012:3456:789a:bcde:f012:3456:789a +short >> 2a01c0123456789abcdef0123456789a.ip6.abo.orange.fr. >> >> In the forward lookup response, we retrieve the original IPv6 address: >> >> # dig 2a01c0123456789abcdef0123456789a.ip6.abo.orange.fr -t aaaa +short >> 2a01:c012:3456:789a:bcde:f012:3456:789a >> >> >> Philippe Lemordant > > While it is staight forward enough to do this technically it is > still *not* a good idea to deploy it. It is not a good idea. But the idea solves some problems. > ISP's have leased the address to their customers and for the duration > of that lease the CUSTOMER not the ISP should be the one naming the > machine. > > When ISPs started doing this with IN-ADDR.ARPA the protocols necessary > to have machines populate the zone themselves did not exist. A lot > has changed in the intervening years. Dynamic update or DHCP may solve, but ISPs need to check names which the client want to register. Hostnames generated by IPv6 addresses may be useless, but they are harmless. -- Kazunori Fujiwara, JPRS <[email protected]> _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
