Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

Wed, 05 Nov 2014 13:00:52 -0800 

Or we could stop debating whether we should maintain it and assume
that if we give people tools that will allow it to be automatically
maintained they will eventually deploy them.

A lot of the issue is that the tools aren't out there yet.

Document what a node should do to register itself in the reverse
tree and to cleanup when its address changes.  Write some code to
do it.

e.g.

Add a PTR record and a KEY record using TCP and the source address
as the authenticator.  The KEY record lets the node cleanup after
itself when the address changes by using SIG(0) as the authenticator.

We already have nameservers which can completely support these
clients.

We can add delayed automatic cleanup to the DNS.  Nameservers already
do lots of automatic zone maintainance for DNSSEC.  Cleaning out
records when a timer goes off is no more difficult than regenerating
RRSIG when timers go off.  Yes, this would require nodes to refresh
their REMOVE records periodically to keep the PTR and KEY records
alive.  Windows already does this sort of thing but on a whole of
zone basis.

        1.1.1.1.in-addr.arpa REMOVE PTR <time>
        1.1.1.1.in-addr.arpa REMOVE KEY <time>

Where time is a 32 bit time stamp like those in RRSIG records.

The client would fetch the REMOVE records and send back a updated
set of REMOVE records periodicaly.  When a REMOVE record is triggered
it is automatically removed from the set of REMOVE records.

A nameserver could automaticall add REMOVE records and put upper
bounds on the time field as a matter of policy if desired.

You would then end up with a set of records like this optionally
signed.

        1.1.1.1.in-addr.arpa PTR <name>
        1.1.1.1.in-addr.arpa KEY <key>
        1.1.1.1.in-addr.arpa REMOVE PTR <time>
        1.1.1.1.in-addr.arpa REMOVE KEY <time>

The nameserver then has all the data it needs to re-establish the
timers on startup within the zone.

The next step is automatic reverse tree delegation along with prefix
delegation as well as cleanup with the delegation expires.  We have
drafts for how to do this.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to