In message <B9CFA6CE8FFDD211A1FB0008C7894E4603063BFD@bseis01nok>, Jim.Bound@nok
ia.com writes:
>
>
>>
>> Firewalls are no reason for a two faced DNS. Those are
>> forced upon us by
>> NAT, because of the re-use of addresses. With IPv6 we will
>> have no need
>> to re-use addresses, and so no reason to bother with two
>> faced DNS (which
>> isn't to say that they may not still be people who would
>> prefer to use it).
>
>good point at dec we did this with our net 16 address exactly and two face
>dns was not
>required.
>
>so the firewall argument is bogus here.
There are several reasons for using two-faced DNS with firewalls.
First, there's the desire to hide inside hosts. A domain name such as
myhost.supersecretproject.somecompany.com is rather revealing.
Second, there's the risk of DNS cache contamination. DNSSEC will
solve that problem, but of course DNSSEC isn't deployed yet.
You also tend to need different name servers internally for subdomains
-- and hence different NS records -- because internal name servers
are inside the firewall, and not reachable from the outside. (The
recent set of BIND security holes is ample evidence for the wisdom
of this policy. One of the main reasons for firewalls is to shield
all the myriad services running on the inside from the consequences
of as-yet unknown bugs.) The same can be said of MX records -- I want
internal mail to stay internal, but I also don't want externally-
originating mail to have to wait for several minutes of futile attempts
to contact internal MX designees.
You may disagree with some of the above reasons. Lots of folks buy
in to some of them, enough that there's a lot of two-faced DNS
setups out there, and I don't see anything in v6 that will make
them go away.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
