> > "nearly unique" is not good enough. You want to be able to
> > register these addresses in the ip6.arpa tree.
>
> Do you? How does this fit with the concept that unreachable
> addresses should not be included in the DNS?
Well a entry in the ip6.arpa tree is *not* an *address*.
As for the forward entries the important thing is not to
publish ambigious addresses. It really does not matter if
you publish unreachable addresses especially if you have
sorting rules which allow you to have a better than 50/50
chance (with two address) of making a connection the first
time. This requires that the local resolver has some sorting
rules which are required by RFC 103[45].
e.g.
local sites first, then globals, then other sites.
local sites first defaults the sites the machine is in but
may be expanded to known locally connected sites.
> As soon as we have any sort of private addressing (VPNs, firewalls
> or any type of site-local addressing, I think we're stuck with some
> sort of split DNS that includes local addresses in local name lookups,
> but not in global ones, right?
No. You are stuck with split DNS if you have ambigious addresses.
You might have connection delays if you don't have good local
policy to choose the right address but unless the application
is broken you will get a connection.
> Is the reverse look-up tree an exception to this? I suppose it would
> have to be, if you want people from outside the site to be able to
> identify the source of a leaked address... But, it's not clear how
> this would work with mostly-unique addresses.
It won't work with mostly-unique addresses and the addresses
will leak and we will have to set up sacrificial servers to
save the ip6.arpa servers like we currently hace sacrificial
servers to save the in-addr.arpa servers.
> > What does work is having truly unique addresses and delegating
> > the reverse servers.
>
> Yes. Truly unique addresses are better for including in the reverse
> DNS, even if they aren't routed globally. They also have the advantage
> that if there is an overlap that is causing problems, it is possible
> to find out what organization is actually registered to use that prefix.
>
> But, are these (fairly minor) benefits worth the cost of requiring a
> registry, etc?
Yes. Look at the current costs of supporting the sacrificial
servers for RFC 1918 addresses. These servers get more queries
per second than the root servers. Do we want to have to run
sacrificial servers forever?
Also you don't force a organization to do its DNS in-house. It
can out-source its DNS maintenance if it wants to if you have
truly unique addresses. Given the level of compentance I see
with the DNS today out-sourcing is a good thing.
Mark
> Margaret
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
