>So now we're back to changing the DNS protocol and every IPv6-capable
>DNS client in the world to support triangular wheels.
not really.
first, RFC2181 has particular care about anycast address - see
the last line in section 4.1.
>4.1. UDP Source Address Selection
>
> To avoid these problems, servers when responding to queries using UDP
> must cause the reply to be sent with the source address field in the
> IP header set to the address that was in the destination address
> field of the IP header of the packet containing the query causing the
> response. If this would cause the response to be sent from an IP
> address that is not permitted for this purpose, then the response may
> be sent from any legal IP address allocated to the server. That
> address should be chosen to maximise the possibility that the client
> will be able to use it for further queries. Servers configured in <---
> such a way that not all their addresses are equally reachable from <---
> all potential clients need take particular care when responding to <---
> queries sent to anycast, multicast, or similar, addresses. <---
second, from implementation POV, microsoft resolvers does not check
source (correct me if i'm wrong), and bind4/8 can change behavior
by only a one-bit flag (RES_INSECURE1). so it is not a big deal.
third, i don't understand why the rule (source address of reply
has to be equal to the destination of query) is enforced. it may
have been useful in the past, but with source address spoofing
getting widely practiced, it provides no protection. the only way
we can be sure about data integrity is via DNSSEC (so unfortunately,
we are using untrustable DNS responses every day at this moment).
itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
