Date: Wed, 07 Feb 2001 16:26:15 -0600
From: Brian E Carpenter <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
| Common because of firewalls, even without NATs which I hate as much as you.
Firewalls are no reason for a two faced DNS. Those are forced upon us by
NAT, because of the re-use of addresses. With IPv6 we will have no need
to re-use addresses, and so no reason to bother with two faced DNS (which
isn't to say that they may not still be people who would prefer to use it).
| Why would any enterprise publish the A record of internalserver.example.com
| outside the firewall?
Why wouldn't they? Doing so at least allows others to know that they
have been given the correct name of the server, and simply cannot
communicate with it, rather than getting "no such host" from the DNS,
and then making wondering what the cause of that was (maybe the
name I was supposed to use was internal-server.example.com, or maybe
it was internal.server.example.com, or maybe it was intrnlsrvr.example.com
and was just read out over the phone as "internal server").
In any case, two faced DNS is simply not an option to solve the
site local issue - no matter how many large enterprises might happen
to use the things.
The most benefit for site locals will come to those who renumber
most often, not those who hardly ever do. And those who renumber
most often are the very small sites. What's more, those are the
sites who hardly ever run their own DNS, it is mostly run for them
(outside of their net) by their ISP. Two faced DNS simply doesn't
scale to that kind of situation.
Eric's draft at least has the feature that it is mostly feasible,
and (save a couple of hard cases) could possibly work, at the
cost of up to twice as many addresses to return from the DNS
[Aside on another issue: using A6 would certainly help there, with
the assumption that all the internal addressing is the same for the
site locals and globals, only one more "upper level" A6 prefix
record needs to be added to cover a whole site of site-local addresses...]
Two faced DNS has nothing going for it at all, other than that it kind
of looks like what we do now for NAT. And that's what we should be
trying to avoid, not entrench.
kre
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
