On Fri, 9 Apr 2004, JINMEI Tatuya / [ISO-2022-JP] [EMAIL PROTECTED]@C#:H wrote:
> Okay, thanks. Now the intended scenario is very clear to me. Then
> going back to the draft text:
>
> On one hand, securing the DDNS relationship for prefix delegation is
> simpler if DNS server and the prefix delegator are in the same
> administrative domain, and may be more difficult otherwise.
>
> On the other hand, if the DNS server resides where the prefixes are
> delegated to, it is easier to manage reverse DNS updates as they can
> be done within a single administrative entity. Similarly, then
> configuring the reverse DNS is typically simpler as well (e.g., if
> one wanted to insert a wildcard record).
>
> In these paragraphs, several cases are described:
>
> A. the case where DNS server and the prefix delegator are in the same
> administrative domain.
> B. the case where DNS server and the prefix delegator are NOT in the
> same administrative domain. (the "otherwise" case in the first
> paragraph)
> C. the DNS server resides where the prefixes are delegated to.
>
> Apparently case A means case 1, and case C seems to specify case 2.
> Are these correct? Whether the answer is yes or no, what about case
> B? Does this mean cases 2 and 3? Does it also include other
> scenarios? Or is it a completely different scenario which is neither
> 2 nor 3?
>
> If case B is (or includes) cases 2 and 3, then the above paragraphs
> seem to try to say: "in case 2, it may be more difficult to secure
> DDNS, but it is easier to manage reverse DNS updates and it is simpler
> to configure the reverse DNS." Is this (part of) what you wanted to
> say?
More or less. Thanks for keeping me honest :)
I've reworded it below for clarity:
<t>In the first case, managing the reverse DNS (delegation) is
simpler as the DNS server and the prefix delegator are in the same
administrative domain (as there is no need to delegate anything at
all). In the other cases, it can be slighly more difficult,
particularly as the site will have to configure the DNS server to be
authorative for the delegated reverse zone, implying automatic
configuration of the DNS server -- as the prefix may be dynamic.</t>
<t>Managing the DDNS reverse updates is typically simple in
the second case, as the updated server is located at the local site,
and arguably IP address-based authentication could be sufficient (or
if not, setting up security relationships would be simpler). As there
is an explicit (security) relationship between the parties in the
third case, setting up the security relationships to allow reverse
DDNS updates should be rather straightforward as well. In the first
case, however, setting up and managing such relationships might be a
lot more difficult.</t>
Is this better? Suggestions?
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
