Ray, I have read the draft, found no problems other than the missing security considerations ( I don't see any particular security considerations ), and fully support it.
Did you consider a "referral" model using NS records? LOCAL.ARPA. 9000 NS A.LOCAL.ARPA. LOCAL.ARPA. 9000 NS B.LOCAL.ARPA. A.LOCAL.ARPA. 9000 A 1.2.3.4 B.LOCAL.ARPA. 9000 A 2.3.4.5 I think this may be cleaner, it allows multi-homed servers to be properly distinguished ( you shouldn't try an alternate address until other servers have been tried ), and seems closer to the normal DNS representation of name servers. A simplistic client can still just save all the A records, and ignore the names. This may be significant if the glue types are extended in future to supply other link-local parameters, for example the DNS transport protocols supported, or a link-local public key. Although this is not a fully secure way to acquire a local public key, it does raise the bar for an in-path attacker, and clients could warn users if a link-local public key changes. I also note that using LOCALHOST, or a sub-domain of LOCALHOST, would avoid non-local queries being sent by servers that are not aware of LOCAL.ARPA. Which is the most appropriate domain to use I am unable to judge. Regards, George ----- Original Message ----- From: ray.bel...@nominet.org.uk To: dnsop@ietf.org Sent: Thursday, October 15, 2009 4:00 PM Subject: [DNSOP] Fw: New Version Notification fordraft-bellis-dns-recursive-discovery-00 I've just submitted the following draft. --8<--8<-- A new version of I-D, draft-bellis-dns-recursive-discovery-00.txt has been successfuly submitted by Ray Bellis and posted to the IETF repository. Filename: draft-bellis-dns-recursive-discovery Revision: 00 Title: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA Creation_date: 2009-10-15 WG ID: Independent Submission Number_of_pages: 9 Abstract: This document describes a method for a DNS client resolver to discover the IP addresses of the upstream recursive DNS resolvers and hence bypass the local DNS proxy. It also directs IANA to reserve the "LOCAL.ARPA" domain name and to create a registry for well known sub-domains of that domain name, such sub-domains being reserved for use within any network's administrative boundary. --8<--8<-- The draft is available for download at http://tools.ietf.org/html/draft-bellis-dns-recursive-discovery-00 Ray -- Ray Bellis, MA(Oxon) MIET Senior Researcher in Advanced Projects, Nominet e: r...@nominet.org.uk, t: +44 1865 332211 -------------------------------------------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
