[dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Previous message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Next message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Wed Jun 16 11:54:43 CEST 2010
On 16 Jun 2010, at 07:56, Kostas Zorbadelos wrote: > Of course IPv6 produces a totally different world in many > things and I guess reverse DNS is one of them. +1 > Although reverse DNS is used as a weak authentication mechanism today > (if it can be characterized like that) it is not the only use. It is > very > convenient to see names instead of ugly IPv6 addresses in log files > for > instance. I tend to agree. Though a cost/benefit analysis tends to suggest this convenience might not be worth the pain. > Now DDNS is another thought. Can you imagine that working however in > an > environment of multi-million mobile and consumer devices powering up > often, > in a secure and scalable way? I find it a challenge, though never say > never :) I imagine all sorts of things and you probably don't want to know what goes on inside my head. Really. :-) You're right to say that provisioning IPv6 PTR records for bazillions of edge devices is "challenging". In some cases it might not be worth the effort. [Would anyone care if the beer cans in my fridge had hostnames or if they got renumbered once I'd drunk them?] I think that was part of the argument that was being made about not bothering with PTRs for IPv6 addresses. Particularly for stuff that had transient or rapidly changing connectivity. >> My personal preference would be to delegate the /80 (or whatever) to >> the end-user/customer and leave them to choose how to provision that >> zone. [Your mileage may vary...] This might work fairly painlessly >> with the tcp-self and 6to4-self hooks to the update-policy{} clause >> in >> BIND 9.7. Though that's still messy. It also relies on well-behaved >> clients which is perhaps unwise. > > The hooks you are referring to in BIND are DDNS stuff? Yes. The tcp-self and 6to4-self hooks allow clients to change the PTR for their own IPv6 address without needing a TSIG or other crypto token. The dynamic updates have to be made over TCP though. > The provider can populate and maintain this space prety much as it > does today. Consider home equipment, PCs with Windows 7 or any other > operating system with similar behaviour, which as we noticed, apart > from the > autoconfiguration address, produce random IPv6 addresses used in > outgoing > connections that change every couple of hours or so. > > Add to all that some DNSSEC sugar ;-) Yes. It's delightful, isn't it? The plug and play semantics of IPv6 pretty much force us down the road of DDNS for forward and reverse lookups if name<->address mappings matter. That in turn makes DNSSEC "interesting".
- Previous message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
- Next message (by thread): [dns-wg] Reverse DNS operational considerations in an IPv6 environment
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]