On Mon, Aug 15, 2011 at 10:34:53PM +0200, M??ns Nilsson wrote: > Subject: Re: [renum] [DNSOP] Dynamic DNS Update Deployment?? Date: Tue, Aug > 16, 2011 at 08:19:21AM +1200 Quoting Brian E Carpenter > (brian.e.carpen...@gmail.com): > > On 2011-08-16 05:55, Ted Lemon wrote: > > > On Aug 15, 2011, at 1:26 AM, Leo Liu(bing) wrote: > > > Thanks for the info, that's quite helpful. So can we assume that > > > Windows-based DNS systems have been widely deployed rfc3007? > > > > > > This is kind of a bizarre conversation. DDNS use is widespread > > > in environments that support DHCPv4, although it is by no means > > > pervasive. It's not a Windows thing???it's generally done by > > > DHCP servers, not DHCP clients. DNS update by clients is > > > somewhat rare, although it is supported by Windows. > > > Unfortunately Apple has chosen not to support it, but in practice > > > it's not important because key distribution for DNS updates is > > > such a big problem that it usually doesn't make sense to do it > > > from end nodes???only from servers. > > > > In the context of the 6renum WG, that is a very important point. > > We need to figure out the best way to automate the DNS > > consequences of adding a new IPv6 prefix, or removing an old > > one, in all or part of an enterprise network. So we need to > > understand how it interacts with DHCPv6. Basically I think > > you're saying that in real life we can't expect end hosts to be > > responsible for their own DNS updates when renumbered, because > > that requires an unreasonable key distribution mechanism. > > Unless that's been taken care of -- the Active Directory model does > work. And, since the authority for forward and reverse may vary, > forward updates is better dealt with by the client (think mobile > client that wants its domain name with any IP address), while reverse > is best performed by the address authority, ie. DHCP(v6) server. The > paper/how-to that came out of a RIPE meeting workshop some years ago > details this division of work quite nicely. > > http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html
Other than for weirdos like some of us in this group, I think the overwhelming majority of users do not in fact have administrative control over the forward zone nor is there a good security model for it nor way of distributing keys. For the overwhelming majority of hosts, I believe their forward zone is likely to be something.isp.com. This is why, as Ted alludes to, servers (DHCP, whether v4 or v6) tend to do the updates. Indeed, in spite of being a weirdo I don't try to do my own forward zone dynamic DNS updates. Regards, Stephen -- Stephen Jacob | stephen.ja...@nominum.com | +1 650 381 6051 Nominum, Inc. | http://www.nominum.com/ | +1 650 381 6000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
