On 2012-11-22, at 18:10, Mark Andrews <ma...@isc.org> wrote:
> Individual hosts should be doing dynamic DNS. Where that update
> is sent to may change but all machines should be doing it and should
> support TSIG as a minimum.
The missing pieces here include:
- what sane ISP/campus/home network/hotspot operator gives credentials to
customers or even random users to complete dynamic updates to one of their
master servers?
- how can a TSIG key be shared between a network operator and a client that
potentially don't know each other?
- what name should a user be allowed to specify in their PTR RDATA?
- what stops user A from sending authentically TSIG-signed UPDATEs to a
nameserver and changing (or removing) user B's PTR?
- what consumer systems do this by default? (I think it's none, but I thought
I'd ask)
> Individual hosts should be able to work out where to send the updates
> by querying the DNS to find the nameservers of the containing zone
> after processing and DNAME/CNAME mappings.
I think you skipped a step -- you need to find the zone cut before you can find
the nameservers responsible for the zone. I guess I do that by asking for
blah.ip6.arpa/IN/SOA and checking the authority section, but what if the
authority section is empty because of software choices in some nameserver? I
guess then I need to
[krill:~]% ifconfig en0 | grep inet6 | grep -vi fe80::
inet6 2001:4900:1042:100:7ed1:c3ff:fee8:102f prefixlen 64 autoconf
[krill:~]%
[krill:~]% dig
7.7.2.6.4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN
SOA +short
[krill:~]% dig
7.2.6.4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig
2.6.4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig
6.4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig
4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa.
IN SOA +short
[krill:~]% dig d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN
SOA +short
[krill:~]% dig 8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN
SOA +short
[krill:~]% dig e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig 7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig 2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA
+short
[krill:~]% dig e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
[krill:~]% dig 2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN SOA +short
. jabley.hopcount.ca. 2011032174 10800 3600 604800 86400
[krill:~]%
Ah, there it is. There's no MNAME specified (I rudely called it ".") but let's
pretend I didn't do that.
Now I need to know:
what is my name?
how do I know the name is unique within this network?
what TSIG key should I use?
Let's suspend disbelief and suppose that I am capable of knowing a reasonable
name that represents a reasonable, valid FQDN, that I know it's unique, and
that I have somehow discovered a TSIG secret for the local network that is
still a secret, and isn't shared knowledge amongst 300,000 other customers.
Once I've answered those questions, I send a TSIG-signed UPDATE to the
MNAME-specified server and update:
7.7.2.6.4.f.d.8.e.7.2.a.e.4.8.5.0.0.1.0.2.4.0.1.0.0.9.4.1.0.0.2.ip6.arpa. IN
PTR krill.hopcount.ca.
Presumably we're encouraging PTR records to make sense, in which case I also
want to update:
krill.hopcount.ca. AAAA 2001:4900:1042:100:584e:a27e:8df4:6277
Since hopcount.ca is my own domain, and I run the server referenced in the
MNAME (assuming again I change it from "." to something sensible), there is
some chance I could make this work. What if the domain is hosted elsewhere?
What if it's the ISP's domain I've decided to use? What if I have no reasonable
parent domain configured, and the local hostname is "Joe's Computer"?
I need to repeat this for every v6 address I have (I have five right now,
apparently, not counting the link-local) and also handle deletion of AAAAs and
PTRs that might already be there, accommodating the full range of abrupt
disconnects that phones and networks enjoy six hundred times per day.
Even without harping on about the many unanswerable questions in the travelogue
above, this whole procedure seems filled with fail.
> Darwin and Windows already support sending dynamic updates though
> I don't believe they handle the presence of DNAME or CNAME.
I believe these days none of (Windows, Mac OS X, iOS, Android) do this by
default. Windows and Mac OS X can be made to do this kind of thing with
specific configuration ("wide-area bonjour", "Active Directory"), which is
usually only ever done in an enterprise context.
I think current tools for this suck, and current protocols are going to need
extensions to be defined before the situation gets any better. Happy to be
proven wrong, though.
If there's a good way to do this (enforce a naming scheme that guarantees
uniqueness, use SIG(0), whatever) then I think this draft needs to spell it out
in a way that people can actually implement, both as vendors of consumer
operating systems and as v6-capable ISPs. Simply saying "this has been easy for
a decade" doesn't really get us anywhere.
Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
