Brian E Carpenter writes, on three other mailing lists:
> I think it was recognized a long time ago that the initial deployment
> of A6 records should be limited to two (or at most 3) levels. The question
> is whether that is enough to avoid the horrors described by Dan Bernstein
> over on IPNG.
The answer is ``of course not.'' Here's an example with just one level
of A6 records:
aol.com NS dns-01.ns.aol.com
aol.com NS dns-02.ns.aol.com
aol.net NS dns-01.ns.aol.com
aol.net NS dns-02.ns.aol.com
dns-01.ns.aol.com A6 ... prefix.aol.net
dns-02.ns.aol.com A6 ... prefix.aol.net
Now aol.com and aol.net are unreachable. AOL already has these NS
records, and it's _encouraged_ to set up these A6 records, right?
Details of the failure: Say a cache needs the address of www.aol.com.
It contacts the .com servers and learns
aol.com NS dns-01.ns.aol.com
aol.com NS dns-02.ns.aol.com
dns-01.ns.aol.com A6 ... prefix.aol.net
dns-02.ns.aol.com A6 ... prefix.aol.net
but it won't accept the address of prefix.aol.net from the .com servers
even if that address is provided. (Yes, it's theoretically possible for
caches to see that this isn't poison because the .com servers are the
same as the .net servers, but let's fast forward to a time when the .com
servers and the .net servers have been separated.)
The cache now puts the www.aol.com query on hold. It needs the address
of prefix.aol.net. It contacts the .net servers and learns
aol.net NS dns-01.ns.aol.com
aol.net NS dns-02.ns.aol.com
but it won't accept the addresses of *.aol.com from the .net servers
even if those addresses are provided. It puts the prefix.aol.net query
on hold; it needs the addresses of dns-*.ns.aol.com. Repeat ad nauseam.
---Dan
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
