Keith Moore wrote: > > > As far as I can see, the safe way to do "two-faced" DNS with site > > locals is > > there is no safe way to do DNS with site locals, because the DNS server > has no idea who is acutally going to use the results of the query. > it's not reasonable to assume that the results will be used by the > host immediately making that query.
Let me add the obvious clarification that this is only as safe as any other site local mechanism. Like site local addresses themselves, the site-local namespace has to be protected against leakage. Again, with multi-homed hosts the problem can be placed squarely in the hands of the application and the user. In a situation where we have some hosts within the "site" using only globals and some hosts using only site locals it becomes much hairier, as we remove the ability for applications to treat global and site local operation as independent. I may be out of step here, but I consider site-locals (and site-local naming) an orthogonal addressing (and naming) scheme to global addresses for sites that don't have 'reliable' global address stability (read 'dial-up' or 'mobile' neworks with changing global prefixes that may or may not exist). And thus why I think the deployment issues ultimately boil down to: (1) filters on routers (2) address selection on hosts I realise #2 is not necessarily trivial. -- Andrew White [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
