Regarding reverse DNS entries ... there is a specific problem with reverse DNS entries for autoconfiguration addresses regarding update of the reverse entries by the client.
The portion of the DNS namespace into which the host wants to insert its reverse DNS entry is owned by the network to which the hose is attached. There is no requirement for any administrative or trust relationship between the host and the network to which it is attached, so performing
The problem here is that administrative responsibility for
an autoconfiguration address ('ownership') is split: the
network admin owns the prefix and the host owns the suffix.
But the network admin owns the DNS namespace to which the
prefix belongs and must make an admin decision about wherher
to allow updates from a host with which it has no
administrative or trust relationship.There are solutions - disallow reverse DNS updates for autoconfiguration addresses, let the DNS server that maintains the prefix allow untrusted updates in the namespace for that prefix, require some DNSSEC trust mechanism that supports roaming.
- Ralph
At 09:07 AM 6/19/2003 -0700, Alain Durand wrote:
On Thursday, June 19, 2003, at 03:56 AM, Robert Elz wrote:It is generally harmless to own an extra address though, having the statelessly configured one, as well as a dhcp supplied one should not cause any harm.
Not sure. Two reasons:
- There may be filters in place, for example that only
allows DHCP assigned addresses to go out.
(this is not pure fantasy, I've heard people willing to do just that in hot spots).
- There are reverse DNS issues. They may point to 2 different names or
more likely, the stateless autoconfigured address won't resolve to
a name, where the DHCP one will. As default address selection does
not (yet?) say to prefer the DHCP one, logs and/or (very) weak security/authentication
mechanisms based on DNS reverse lookup will work randomly.
- Alain.
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
-------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
