On Sunday, 06/09/2002 at 11:00 MST, "Tony Hain" <[EMAIL PROTECTED]> wrote:
> THere is a mismatch between the DNS perception of 'site' and the
> site-local definition of 'site'. The DNS version is much stricter about
> physical separation, but there shouldn't be a requirement that DNS
> servers for a segment of an AS have to be in differrent SL regions. It
> sounds like there is more to do on the DNS operations document... In any
> case, the only way a DNS server should return a SL in a response is if
> the query was received on a SL. This is the only reasonable way for the
> server to know if the answer is usable. If the DNS servers for a given
> set of hosts are split across multiple SL zones, then some of the
> answers will be global. This is logically the right thing to do from the
> DNS query/response perspective, but from the operations perspective, the
> servers shouldn't be in separate SL zones. If a particular network
> doesn't want to add to the DNS infrastructure, there is no requirement
> to populate it with SL addresses. If the routers don't announce them in
> the RA, and they aren't in the DNS, they don't get used. That does not
> mean we should get rid of them, because smaller organizations will
> typically find them useful to minimize the impact of changing providers.
The DNS issues surrounding site-local addresses concern me far more than
routing issues which have been discussed. I tried to imagine how DNS
would work given what is described above, especially for the case where
a host is attached to multiple sites. I don't think this is just an
operational problem, but requires new standards and new code at both the
resolvers as well as name servers in order for it to work. The more I
thought about it, the more I liked the idea of site-local addresses
disappearing from the architecture or, at a minimum, a host being
restricted to connecting to a single site at any given time.
Imagine a host (Host1) which is directly connected to multiple sites, both
of which are using site-local addressing. When connecting to a 2nd host
(Host2), Host2 may also be connected to multiple sites - perhaps even the
same two as Host1.
Host1
/ \
/ \
SiteA SiteB
\ /
\ /
Host2
|
|
SiteC
When Host1 queries DNS for the addresses for Host2, what addresses should
it receive back? I'd think Host1 would want Host2's global addresses,
site-local addresses for interfaces attached to SiteA, and site-local
addresses for interfaces attached to SiteB. Since Host1 is not attached
to SiteC, it would not want to receive site-local addresses for SiteC. In
each case, Host1 must know the site in which the site-local addresses
returned are valid, so that it will only forward packets using the
destination site-local address into the site in which the address is
valid. Host1 may also want to restrict the results returned so that it
only receives site-local addresses for a single site (say SiteA), and not
receive any of Host2's site-local addresses for SiteB.
From what I read above, in order for Host1 to receive all of Host2's
addresses, it would need to send two queries to the DNS name server - one
via SiteA and one via SiteB. In each case, in order to receive a
site-local address the destination address for the DNS name server would
need to be a site-local address for the site over which the query is sent.
In order to receive the packets with a site-local destination address, the
DNS name server must be directly connected to each site that a host in a
zone for which it is authoritative is also connected. For instance, the
each authoritative name server for Host2 must be connected to SiteA, SiteB,
and SiteC, while the authoritative name server for Host1 only needs to be
connected to SiteA and SiteB.
In order for a client to receive all IP addresses for a given host, the
client must be directly attached to each site to which the host is also
attached, as it cannot receive any site-local addresses for sites to
which it is not attached. That is, to receive all of Host2's addresses,
the client must be directly connected to SiteA, SiteB, and SiteC. For
a "typical" application, only receiving site-local addresses for sites
to which the client is attached should be fine. For DNS management tools
(nslookup, dig, etc.) it might not be.
When performing a zone transfer, the primary name server needs to somehow
tell the secondary name servers which zone a site-local address for a
host is associated with. This way, the secondary name server can restrict
which site-local addresses it returns to a client.
When referring a client to another name server, the referring name server
must know if the client and new target name server are in the same site.
If so, the address of the new name server should be a site-local address
for the site to which both are directly attached (if the name server has
a site-local address for that site); otherwise, it should be a global
address.
When returning the sockaddr_in6 structures to the requesting application,
the resolver must fill in the sin6_scope_id field for any site-local
addresses based on the site to which the DNS query is sent. This
allows the TCP/IP stack to know the site in which the site-local address
is valid, and to route packets using the site-local address to the
site in which the address is valid.
When registering IP addresses, a host must ensure that it only register
site-local addresses via the site in which the site-local address is
defined, while global addresses may be registered via any site. This
way, the DNS name server can know which site-local addresses are
associated with which sites.
Roy
