fixing insecure email infrastructure (was: Re: [eweek article]

Mark Andrews Mark_Andrews at isc.org
Fri Jan 14 12:05:57 UTC 2005


> That's bad sincd DNAME is deprecated and has been removed from BIND.
> 
> Owen

	Really?  Thats news to me. 

	RFC 2672, Non-Terminal DNS Name Redirection, is still
	a proposed standard <http://www.ietf.org/iesg/1rfc_index.txt>.

	If you are thinking about RFC 3363, Representing Internet
	Protocol version 6 (IPv6) Addresses in the Domain Name
	System (DNS).  It does NOT deprecate DNAME.  There is no
	UPDATES RFC 2672 at the top.  I was well aware that it
	didn't deprecate DNAME when it passed through the WG.  I
	would have complained long and loudly if it did.

	Mind you, in hind site, I should have a strongly argued
	that section 4 of RFC 3363 just be deleted.  All it has
	done is generate confusion about the status of DNAME and
	to top that the opening sentence contains assertions which
	don't hold water once you think about them a little bit.

	DNAME is just as useful with nibbles in the reverse tree as
	it was with bitlabels.

	Take RFC 2874, DNS Extensions to Support IPv6 Address Aggregation
	and Renumbering, and redo the examples with nibbles.  Everything
	just works.

	To renumber the reverse you need to get the appropriate
	DNAME records updated.  You don't need to re-establish several
	levels of delegation under IP6.INT.  Yes I expect the RIRs to
	add DNAMES not NS records at some point in the future for IP6.INT.

	For the forward part all the end systems just register their
	new addresses in the DNS using UPDATE.

	Mark.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the NANOG mailing list