Harald, > Harald Tveit Alvestrand wrote: > [Dual-headed DNS] > That is well known. > It's also a pain to configure,
No argument here; and still lots of people are doing it. > My question to you is whether: > - the use of site-local FORCES you to use split DNS, even > if you otherwise don't need to Not at all: - If the host has a site-local only address (which I recommend, although this is not consensual) all is needed is the existing one-headed DNS, no change. - If the host has both a site-local and a global address, this issue has nothing to do with site-locals and everything to do with multihoming / multiaddressing the host. In other words, the need for dual-headed DNS and the issues pertaining to source and destination address selection would be the same if the host had two global addresses instead of a site-local and a global. This is a network design issue. > - the use of site-local and split-DNS FORCES you to let the > boundaries of the site follow the boundaries of your security > perimeter, or suffer the N*2 problem of having to manage four > categories of names rather than two Probably. It appears though that postings by different people seem to converge about the idea that the boundaries of the site (as in site-local) match the administrative boundaries of the organization. There is an issue with semantics but not with the concept itself. > (btw, IMNSHO, the security argument for split DNS is security > through obscurity - it only protects you against the stupid > bad guys....) True enough, although it is better to protect against the stupid bad guys than not to; and the wide spread of IPv4 dual-headed DNS today that has nothing to do with site-locals is likely a good prediction of the spread of IPv6 dual-headed DNS for the same reason. This is the same issue with site-locals themselves: A little reality check shows that they will be used no matter what. Which brings me to the point I was trying to make in the first place: People that will use site-locals for the "security-by-not-routable-addresses" will already have dual-headed DNS for the "security-by-obscurity", no extra work here. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
