[111975] in North American Network Operators' Group
Re: IPv6 Confusion
daemon@ATHENA.MIT.EDU (David Conrad)
Tue Feb 17 20:21:03 2009
From: David Conrad <drc@virtualized.org>
To: Mark Andrews <Mark_Andrews@isc.org>
In-Reply-To: <200902172355.n1HNtUGZ002737@drugs.dv.isc.org>
Date: Tue, 17 Feb 2009 15:20:39 -1000
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Feb 17, 2009, at 1:55 PM, Mark Andrews wrote:
>> (which was never fully
>> thought out -- how does a autoconfig'd device get a DNS name
>> associated with their address in a DNSSEC-signed world again?) and
>> letting network operators use DHCP with IPv6 the way they do with
>> IPv4.
> David you know as well as I do that DNSSEC is a orthognal
> issue here.
My understanding, which may well be wrong, is that:
- stateless auto-configuration assumes the client will update the
address to name association once it has obtained the address.
- In order to do this, the DNS server needs to support Dynamic DNS.
- If DNSSEC is in use, it requires the use of on-line signing keys.
- Security folks get unhappy when you mention on-line signing keys.
Solution?
- Don't have address to name associations
- Don't worry about (or accept lesser) security on address to name
associations.
Of course the DNSSEC bit is sort of moot, as I suspect there aren't a
whole lot of ISPs in a position to support dynamic updates from
clients...
Regards,
-drc
