RE: Naming and site-local addresses

Sun, 10 Nov 2002 23:16:43 -0800



--On s�ndag, november 10, 2002 17:15:16 -0800 Michel Py <[EMAIL PROTECTED]> wrote:

Harald,

Harald Tveit Alvestrand

This seems to lead me to one of two conclusions:
- Address lookup is significantly more complex in the
presence of site-local than if only global-scoped
addresses are used
- I missed something.

I think you missed the fact the dual-headed DNS you mentioned is in use
in many organizations even the ones that have only global-scoped
addresses. One of the main reasons is that networks administrators don't
want their DNS servers to resolve the entire network if the request
comes from the outside.

In other words, if foo.example.com is a secure host, it makes a lot of
sense to configure the DNS servers to resolve it if the request comes
from within the administrative boundaries of the site, and *not* resolve
it if the request comes from the outside.
That is well known.

It's also a pain to configure, and the names leak all over the place (check out the Received: headers of this message - there should be at least one leaked "internal" name in it, with a corresponding 192.168.x.x IP address).

I run two different DNS servers on a 7-machine home LAN in order to support this configuration; I can't get redundant DNS servers for the local clients because I don't have a third machine (and don't want to configure Bind 9 with zone support - too much work to learn).

Therefore, the complexity of administering the dual-headed DNS is not a
by-product of the use of site locals, but a desire of the administrator
to limit lookups.
My question to you is whether:

- the use of site-local FORCES you to use split DNS, even if you otherwise don't need to

- the use of site-local and split-DNS FORCES you to let the boundaries of the site follow the boundaries of your security perimeter, or suffer the N*2 problem of having to manage four categories of names rather than two

(btw, IMNSHO, the security argument for split DNS is security through obscurity - it only protects you against the stupid bad guys....)

Harald


--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to