On 2011-08-16 17:05, Ted Lemon wrote:
> On Aug 15, 2011, at 9:27 PM, Brian E Carpenter wrote:
> As long as that process is at least as secure as DNSSEC, so that
> DNSSEC is not compromised, that is certainly an alternative.
> However, it makes DHCPv6 mandatory for automatic renumbering.
> That may be a "political" decision as well as a technical one.
>
> "As secure as DNSSEC" is not always the required level of security. For
> instance, at my office, roaming laptops can provide a name which is used to
> update a DNS record in a well-known zone. However, they cannot insert
> arbitrary records—just A and/or AAAA records. And they cannot insert them
> into arbitrary zones. So the security requirements here are substantially
> less stringent than they would be in the case that a client had a key that
> allowed it to do arbitrary updates to a zone.
>
> As for the political layer, I don't really see the problem. If people want
> DNS updates, there's going to be some kind of mechanism for it. If they
> don't, it's not a problem. Presumably in environments where autoconfig is
> the rule, either clients have keys with which to update the DNS, or else they
> do not need to update the DNS (e.g., they are using mdns or Bonjour, and do
> not need a globally-visible name).
Ted, all I meant by "political" is that it has been quite
controversial in IPv6-land whether DHCPv6 becomes a de facto
mandatory option, or whether sites can opt to use nothing but
SLAAC for some or all hosts. If the conclusion for 6renum is
that DHCPv6 is required, so be it, but the discussion might get
noisy.
Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
