Markus Stenberg <markus.stenb...@iki.fi> wrote:
> Personally, I don’t believe in auto-exported ~full DNS information from
> home because current service discovery schemes (mdns, dns-sd, upnp) or
> even host-name discovery schemes (dhcp*) do not really lend themselves
> to the external visibility being _opt in_. I don’t really want to
> publish my home zone, and if I even did, anything that’s firewalled (=
> everything except few ports on few addresses) is not useful outside the
> home in any case.Many people *do* want seemless access, and as their devices roam outside the home, they expect, that having entered the name of the device, they expect that whatever security they have (such as a VPN) will then get kicked off automatically. That requires that names->IPv6 mapping be available so that the VPN can know it is supposed to do something. I have way too much experience with IPsec VPNs where I have to turn the VPN on, flush my DNS cache, restart my browser, and then finally, I can access some internal name, all because some CIO thought that it would be insecure if the world knew about intranet.example.com. That's not the same as having an open network, so please stop saying that names are useless because there is no connectivity. I think that whether you "auto-export", or whitelist, or blacklist, etc. is completely a local matter. We may recommend a default, but we should make sure that the mechanisms exist. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
pgpqE4K0xCDLj.pgp
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
