IPv6 Confusion
Mark Andrews
Mark_Andrews at isc.org
Tue Feb 17 23:55:30 UTC 2009
In message <D34D7BAE-4781-4AE2-ABB2-6D211C9B7B85 at virtualized.org>, David Conrad
writes:
> On Feb 17, 2009, at 11:28 AM, Tony Hain wrote:
> > Approach IPv6 as a new and different protocol.
>
> Unfortunately, I gather this isn't what end users or network operators
> want or expect. I suspect if we want to make real inroads towards
> IPv6 deployment, we'll need to spend a bit more time making IPv6 look,
> taste, and feel like IPv4 and less time berating folks for "IPv4-
> think" (not that you do this, but others here do). For example,
> getting over the stateless autoconfig religion (which was never fully
> thought out -- how does a autoconfig'd device get a DNS name
> associated with their address in a DNSSEC-signed world again?) and
> letting network operators use DHCP with IPv6 the way they do with IPv4.
David you know as well as I do that DNSSEC is a orthognal
issue here.
The first issue is how do you assign a name to a object?
The second issue is how do you add that name to the DNS?
The third issue is how do you sign that change?
I solve it by give the machine a name. Adding a KEY record
at that name to the DNS, the private part the machine knows.
I then use SIG(0) to update the address records of the
machine whenever the addresses change. The DNS server that
accepts that update generated new RRSIGs for the records
affected by that change and the zone propogates out to the
servers using NOTIFY.
I update the reverse PTR records using tcp-self as the
authentication mechanism. tcp-self is weak but is strong
enough for the level of trust assigned to PTR records.
Again the DNS server generates appropriate signatures.
The machine's name is not tied to the network on which it
lives.
Mark
> Or, we simply continue down the path of more NATv4.
>
> Regards,
> -drc
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the NANOG
mailing list