In message <[EMAIL PROTECTED]>, Pekka Savola
writes:
>On Tue, 26 Nov 2002 [EMAIL PROTECTED] wrote:
>> "nearly unique" is not good enough. You want to be able to
>> register these addresses in the ip6.arpa tree. You don't
>> want to force every site to manually configure the top of
>> their reverse tree into every nameserver in the organisation.
>
>I don't want the administrative pain in the ass of someone managing flat
>ip6.arpa reverses.
>
>No way, no way at all.
>
>Require the DNS server at the edge of the site be authoritative for the
>whole of fec0::/10 or blackhole the queries.
>
>(I don't think too many people would even want to register site-locals in
>the _global_ reverse DNS, queriable by anyone -- remember, they're not to
>be used globally, and reverses in and itself are already considered a
>"security hazard" by some.)
>
>Let's not go down the path of putting site-locals anywhere near the global
>ip6.arpa.
Sure -- but to keep the load off the root, we need to be *very* sure
that sites do pretend to be authoritative for them.
Hmm -- people *won't* do that properly. But suppose that whenever a
high-level resolver sees an inverse query for <fec0,site,mumble>, it
synthesizes an NS record with a long TTL saying that that prefix is
served up by <fec0,site,42> or some other well-known number. Better
yet, it can reply with <fec0,site,mumble>. It doesn't stop people from
asking once; it does "encourage" them to look elsewhere on subsequent
queries over the next week...
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
