On Mon, Nov 11, 2002 at 08:00:13AM +0100, Harald Tveit Alvestrand wrote: > > My question to you is whether: > > - the use of site-local FORCES you to use split DNS, even if you otherwise > don't need to > > - the use of site-local and split-DNS FORCES you to let the boundaries of > the site follow the boundaries of your security perimeter, or suffer the > N*2 problem of having to manage four categories of names rather than two
Well, it's not uncommon that hosts in DNS domains do not always fall into what would be one site, thus hosts pointed to by aaa.foo.com, bbb.foo.com and ccc.foo.com can be in entirely different administrative and physical sites. This would cause some site-local headaches. I agree with Keith that the logical conclusion is that whenever a site-local and global address are returned the only non-ambiguous decision to take is to prefer the global address. But that means we lose the nice property of prefering site-locals intra-site to help maintain long-standing connections (e.g. NFS) through external renumbering or connectivity events that alter global prefixes seen within the site. It seems the only way around that is to either use a special unique "site-local global" prefix internally (plucked from some method as yet undefined, Keith's ideas to date there are "woolly" at best :) or to use a parallel/split DNS naming structure internally (be it foo.site or otherwise, indeed in my own NATed v4 home network I use .home in the scope of my home network for that purpose on Net10, not pretty but it works), or to use only site-local literals. Are there other solutions? There seems no easy answer either way, but the dangers of site-local addresses leaking or causing problems (the mobility question seems particularly nasty) means the sane solution surely has to be preference for globals? > (btw, IMNSHO, the security argument for split DNS is security through > obscurity - it only protects you against the stupid bad guys....) Little different to NAT :) Tim -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
