Alain Durand wrote:
> On Thursday, July 18, 2002, at 10:56 AM, Jeroen Massar wrote:
> > One application for this could be a reverse dnsserver who doesn't
know
> > the
> > PTR for a certain IPv6 address it serves the delegation for. It
could
> > then
> > send this icmp nodeinfo request to the endpoint, which is very
probably
> > quite
> > close networkwise and use that as a response
>
> I'm sure this will lead to very interesting results when
> a secondary server will try to resolve the reverse
> for site local addresses....
<grin> That would give very interresting results indeed, so let's add
the fact
that it for example BIND have to be configged for such a delegation
like:
zone "4.2.0.0.0.0.2.4.1.1.8.e.f.f.3.ip6.int" {
type ipv6nodeinfo;
allow_names "*.unfix.org";
check_forward yes;
};
This would then tell BIND to do nodeinfo queries for
3ffe:8114:2000:240::/60.
The responses should match a host in the unfix.org domain and the
forward mapping
should match this reverse mapping *). Another reason for limiting this
behaviour is that it indeed avoids the reverse-site-local problem.
This is just a IMHO neat trick in your dnsserver just like the other
solutions/examples mentioned for autogeneration of the reverse, except
this
could/should probably give a more meaningfull response in regard to
RFC1178.
One could do this in one go for all their customer which will come from
mostly
the same prefix avoiding the problem of giving every customer the
control of the
complete reverse delegation with regard to ddnsupdates and also avoids
the fact
that if they turn on 10000 boxes your dnsserver gets 10000 updates of
which maybe
1000 get their reverse requested. Note also that IPv6 supports the
anonymous address
which will change in a timeframe of X and thus an IP in use by one box
at time Z
could be a completely different box at time Y. If I remember correctly
those anonymous
addresses had a certain bit set, resolver software should probably avoid
trying to
resolve these addresses at all, they aren't anonymous for a reason after
all ;)
Greets,
Jeroen
*) The forward zone, in the example unfix.org is in hands of the
delegated
person/company/customer and thus they can make their own policy of
setting up
Secure Dynamic DNS updates with all the work around that. Or simply
setup a Win2k+
Server box which does it with Kerberos auth in the domain (GSS-API) or
similar
solutions. btw... my win2k box uses bind9-win32's nsupdate in the same
fashion
as the unix boxes to automatically update it's forward mapping (A+AAAA)
to a bind
dnsserver. A good thing there is unxutils ;)
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
