In message <CAAAwwbXPpNEU_aKgUe=9si2zayn30+nmrhosv2t4ag5fuet...@mail.gmail.com> , Jimmy Hess writes: > On Mon, Mar 5, 2012 at 6:09 PM, Justin M. Streiner > <strei...@cluebyfour.org> wrote: > > > Admittedly we (the 'network guys') don't always make it easy for them. RF= > Cs > > get obsoleted by newer RFCs, but the newer RFCs might still reference ite= > ms > > from the original RFC, etc. =A0This can turn into developing for somethin= > g > > Yes, this is problematic. The preferred result should be one specificati= > on > for each protocol, with references only for optional extensions. > > > Other common, but misguided assumptions (even in 2012): > > 1. You will be using IPv4. =A0We have no idea what this IPv6 nonsense is. > > Looks complicated and scary. > > 2. 255.255.255.0 is the only valid netmask. > > 3. You are using Internet Explorer, and our web management interface has > > ActiveX controls that require you to do so. > > 4. You will be assimilated. =A0Resistance is futile. > > Add some additional misguided assumptions: > > (5) Any IP address whose first octet is 192. or 1. is a private IP. > (6) Any IP address whose first octet is not 192. is not a valid LAN IP= > . > (7) Any IP address whose last octet is .0 is an invalid IP host addres= > s > (8) Any IP address whose last octet is .255 is an invalid IP host addre= > ss > > (9) If my DNS service supports DNSSEC validation, even with no trust an= > chors > configured, it's cool to go ahead and send all queries with > the CD and DO bits > set to 1 > and perform no validation; it's even cooler if I only > support SHA1 keys and > no RSA/SHA-256.
Setting DO to 1 is fine. CD however should be zero unless CD was one on the request. > (10) Everyone enters their NTP, and AD servers by IP address, so it > is best to have a textbox that only allows IPs, not hostnames. > > (11) Nobody actually uses SRV records, so don't bother looking for them. > > (12) Once a DNS lookup has been performed, the IP never changes, so > it makes sense > to keep this in memory until we reboot. > > (13) Nobody has more than 1 recursive DNS server, 1 NTP server, 1 > LDAP server, > 1 Syslog server, and 1 Snmp management station; > so a single IP entry text box for each will suffice. > > (14) Nobody has more than 2 recursive DNS servers, so just allow > only 2 to be entered. > > (15) 30 seconds per resolver seems like a good timeout for DNS queries, s= > o no > need for a configurable timeout; just try each server > sequentially, make the > UI hang, the user will be happy to wait 5 minutes; also make > the service > provided by the device temporarily stop -- users likes it > when their devices > stop working, to remind them to get their first DNS server back up. > > (16) The default gateway's IP address is always 192.168.0.1 > (17) The user portion of E-mail addresses never contain special > characters like "-" "+" "$" "~" "." ",", "[", "]" (18) DNS doesn't use TCP so I won't forward it. (19) I only need to offer 1 DNS server though I learnt 3 from upstream and they all have different characteristics. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org