On Thu, Apr 01, 2010 at 10:49:54AM +0100, Jim Reid wrote: > This is a valid concern. It does not and should not need to be > addressed (excuse the pun) by making authoritatiev servers do stupid/ > wrong/bad things. Others have already pointed out -- and it looks like > they will have to continue -- that it is just wrong to make a name > server return different data based on the network protocol used to > make the query.
Modulo Jason's correction-- we're talking about recursive servers inside ISP networks.... I admit I'm getting thoroughly confused about any kind of general architectural principle here. There seem to be several proposals out there that suggest easing v4-v6 co-ex/transition problems by having recursive resolvers "magically lie" to end systems, either by dropping records that exist in the auth zone or synthesizing ones that don't. I've looked closely at filter-aaaa and DNS64 recently, and glanced at others, including various forms of split-brain madness. I follow this area reasonably closely and can occasionally claim to know a little about DNS. But I don't know what to say at any level higher than the specifics of particular combinations of v4/v6 connectivity about proper (or not) ways to bend or break DNS. It would be nice for us, as DNS Operations experts, to be able to say something about uses and abuses of the DNS besides "this particular thing is broken because you could do this particular other thing instead". Are there any thoughts here on when, as a general principle, the "ends justify the means" in support of v4/v6 co-ex/transition and what forms of brutality against DNS purity seem to cause the least collateral damage? Jim and a few others seem to me to be taking the position "changing DNS answers in the resolver based on end system transport is always bad, in this particular case the auth server operator/content provider should whitelist instead". OTOH, a co-author of the DNS64 "here's how to synthesize AAAAs for v6-only hosts" spec (which I realize implies no endorsement, hold your fire) is also arguing against filter-aaaa here. I'm wondering whether there's a slightly more nuanced principle hiding with the pony. Suzanne _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
