IPv6 and DNS

• Previous message (by thread): IPv6 and DNS
• Next message (by thread): Question about migrating to IPv6 with multiple upstreams.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2011-06-13 at 11:16 +1000, Matthew Palmer wrote:
> Why were you letting such ill-configured clients register themselves in your
> DNS?

Some environments have a lot of control over individual hosts, and
perhaps for such an environment, allowing hosts to register themselves
would not be a problem. In our environment, we had little control over
individual hosts, so centralising their registration through DHCP
servers was a much more effective way to do things, for all the reasons
I gave.
 
> > And then there were the clients. [...]
> Ibid.

Matthew, did you read my message? This was the *point*.

We had lots of poorly configured hosts, over which we could exercise
little control. Faced with that situation, and seeing how poorly the
hosts performed when allowed to (attempt to) register themselves in the
DNS, we decided instead to allow DDNS only from our DHCP servers.

That worked very well for us - especially as the vast majority of the
hosts connected to our network didn't really need DNS names anyway. When
a poorly configured host that did need a name failed to register itself,
the owner/administrator of that host would eventually come to us, so the
problem was sort of self-correcting.

> But if I come to roadwarrior in your network, I'd have to allow updates from
> your DHCP server, and your DHCP server would have to be sending those
> updates.  Similarly, if your clients go roadwarrioring elsewhere, the same
> (or, rather, inverse) configuration would have to be done there.

Yes, that would be true for any roadwarrior needing/wanting a DNS entry.
But in our environment, we didn't have roadwarriors (at least none that
needed DNS entries), so it wasn't a problem. If faced with that (and
depending on the scale of the problem) I'd probably set up some sort of
TSIG key distribution system and let the roadwarriors self-register...
dunno. Not a problem I've personally had to solve.

> If you've just got a single-location, never-goes-anywhere network and client
> list, sure you can just get the DHCP server to do the registration.  But if
> you've got that setup, DDNS isn't needed at all -- your set of hosts,
> addresses, and names is fixed sufficiently that you can just statically
> allocate everything.

Noooooo! Statically allocating everything in a network where there are
200-1000 DHCP and DNS-related changes every day? No way!

While we had a negligible number of "road warriors" - people outside
their enterprise networks getting address service from us or our people
outside our enterprise network getting address service from others - we
had PLENTY of churn inside our enterprise. People moving laptops from
subnet to subnet, or moving labs or departments or other groupings
around. There were still huge benefits to be had from an automated
system.

DHCP with DDNS is a great system. Of course it has limitations; I just
wanted to point out its strengths.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110613/8646bd2d/attachment.sig>

• Previous message (by thread): IPv6 and DNS
• Next message (by thread): Question about migrating to IPv6 with multiple upstreams.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]