In message <[EMAIL PROTECTED]>, Pekka Savola 
writes:
>On Tue, 26 Nov 2002 [EMAIL PROTECTED] wrote:
>>      "nearly unique" is not good enough.  You want to be able to
>>      register these addresses in the ip6.arpa tree.  You don't
>>      want to force every site to manually configure the top of
>>      their reverse tree into every nameserver in the organisation.
>
>I don't want the administrative pain in the ass of someone managing flat 
>ip6.arpa reverses.
>
>No way, no way at all.
>
>Require the DNS server at the edge of the site be authoritative for the 
>whole of fec0::/10 or blackhole the queries.
>
>(I don't think too many people would even want to register site-locals in
>the _global_ reverse DNS, queriable by anyone -- remember, they're not to
>be used globally, and reverses in and itself are already considered a
>"security hazard" by some.)
>
>Let's not go down the path of putting site-locals anywhere near the global
>ip6.arpa.

Sure -- but to keep the load off the root, we need to be *very* sure 
that sites do pretend to be authoritative for them.

Hmm -- people *won't* do that properly.  But suppose that whenever a 
high-level resolver sees an inverse query for <fec0,site,mumble>, it 
synthesizes an NS record with a long TTL saying that that prefix is 
served up by <fec0,site,42> or some other well-known number.  Better 
yet, it can reply with <fec0,site,mumble>.  It doesn't stop people from 
asking once; it does "encourage" them to look elsewhere on subsequent 
queries over the next week...

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)


--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to