On Thu, 23 Jan 2003 20:09:41 +0100 (CET) Erik Nordmark <[EMAIL PROTECTED]> wrote:
> > > But when server.example.com has AAAA that is just GUPI then mail > > > delivery to [EMAIL PROTECTED] will fail when the GUPI is not > > > reachable, right? > > > > Yes it will. But not because you listed a GUPI in the DNS, but > > because you failed to provide and advertise a server that was > > reachable by somebody who wanted to send you mail. > > GUPI addresses in the DNS definitely adds more ways for folks to > produce bad configurations. > And if we want to have GUPI instead of site-local this might be a > common configuration in conjunction with MX records. > And I wouldn't be surprised if this type of interaction is limited to > MX records. Anything which looks at multiple records in the DNS is > potentially at risk. What does multiple records have to do with it? For that matter, what does DNS have to do with it? The issue is that host A wants to contact host B and cannot do so. Does it really matter much whether the reason is that host A cannot look up B's DNS record, or that host A gets a timeout, or that host A gets an ICMP "prohibited" message when trying to reach host B? (Yes, it does matter, but the differences are subtle. If A can't look up B's name in the DNS then A will be inclined to believe that B does not exist. If A times out when trying to contact B then A will be inclined to believe that there is a network outage. The only thing we currently have that comes close to giving a correct indication is ICMP.) And this issue isn't even specific to GUPIs - it exists for any address for which policy dictates cannot exchange packets with arbitrary hosts on the Internet. This is and will continue to be a very common occurance. And in some sense, the decision to not connect to the public Internet and connect only via private agreement to other networks (and therefore to use GUPIs rather than aggregatable addresses) is a policy decision. Of course if an enterprise doesn't want to advertise all of its DNS zones to the outside world that's its own business. But we shouldn't get hung up on trying to make the set of information that DNS can return to a particular host closely reflect the set of services that the host can reach. It's not terribly useful, and it's misleading. > > It certainly makes sense to me to say "avoid using or advertising > > GUPIs when you have globals". > > But by example can easily follow that advice and the problem remain. > mail.example.com can have a AAAA with just a global. > But server.example.com only has a GUPI assigned because it is > a host internal to the site that doesn't use external connectivity. > The AAAA with a GUPI for server.example.com takes precedence over the > MX. Huh? If there's an MX and an address record for the same domain, the MX always takes precedence over the address record. -- I tried enlightenment but it kept crashing. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
