> I do not believe it is either necessary or appropriate to have DNS > provide only addresses that are reachable by the party making the query.
The question in my mind is whether it is appropriate to put addresses that are by design not globally reachable in the DNS. > Nor should DNS be used as a mechanism for trying to communicate policy. > It is not reasonable to assume that the party making the query is the > one that will be using the results of that query. Nor is DNS capable of > keeping track of who can talk to whom. And for that matter, > applications expect consistent behavior from DNS. > > The results of DNS queries should be consistent everywhere. I agree with that sentence. > If DNS > returns addresses for a service that are not reachable, then the client > will find that out when it is unable to reach that service (hopefully > via an ICMP "prohibited" response rather than via a timeout). The now expired draft-ietf-dnsop-dontpublish-unreachable-03.txt recommends against this. Intentionally putting IP addresses that are not globally reachable in the DNS means that there will be delays due to timeouts, since there isn't an ICMP "prohibited" that makes TCP immediately give up. Sure, we could define one and think about the security issues. But worse, the interaction between MX and A* records can cause more spectacular failures. Assume a MX for *.example.com with points at mail.example.com AAAA for mail.example.com has both global and GUPI addresses. Works so far, perhaps with timeouts. But when server.example.com has AAAA that is just GUPI then mail delivery to [EMAIL PROTECTED] will fail when the GUPI is not reachable, right? Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
