comcast ipv6 PTR

Mark Andrews marka at isc.org
Tue Oct 15 21:24:10 UTC 2013


In message <8738o2poov.fsf at nemi.mork.no>, =?utf-8?Q?Bj=C3=B8rn_Mork?= writes:
> Mark Andrews <marka at isc.org> writes:
> 
> > Actually you just need to *let* the hosts update their own ptr
> > records using UPDATE.
> >
> > People keep saying the PTR records don't mean anything yet still
> > demand really strong authentication for updates of PTR records.
> > TCP is more than a strong enough authenticator to support update
> > from self.
> >
> > You can even delegate the reverse zone when doing or just after a PD.
> >
> > * Accept NS/DNAME updates for the reverse prefix from any address
> >   in the delegated address range over TCP.  This avoids having a
> >   temporatially lame delegation.  named already has code to do this
> >   for /48's as I coded it to to support 6to4.
> 
> This sounded like an excellent idea at first, but then I started
> thinking:  As a home user, would I really want to give anyone with
> access to my network the right to change my reverse delegation?

Yet this is essentially what 6to4 has been doing for years.  See
RFC 5158.  Sometimes good enough is all that is needed.

One could add a KEY record at the same time as you add the NS/DNAME
records and use SIG(0) to authenticate subsequent updates to the
delegation based on that key.

The DHCP server would clear delegations on new PD presumably using
a TSIG signed UPDATE request.

	if no sig0 then allow update tcp-6to4
	if self-signed the allow update
	if this tsig then allow update

Named already has the concepts of "this tsig", "self-signed",
"tcp-6to4".  It doesn't have the concept of "no sig0" but adding
this sort of thing is relatively straight forward.

A third method would be for the CPE could send a KEY record rdata
in the DHCP PD request that the DHCP server which would add to the
zone with a owner name based on the allocated prefix.  SIG(0) would
then be used to authenticate further update requests at or below
this name.

This is just bolting together existing technologies in more useful
ways.

Mark

> I don't think so.  I am not even sure I would want them all to be able
> to update the PTR record for the addresses they use.

> Bj=C3=B8rn
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list