Re: [homenet] Home DNS server for homenet

[Michael Richardson]

>>>>> "Lorenzo" == Lorenzo Colitti <lore...@google.com> writes:
    >> In the DNS space, I would like the WG to declare the name-based
    >> selection of DNS servers (what some want to do for walled gardens)
    >> should be ruled harmful.

    >> If some walled garden wants the name->AAAA mapping private, then
    >> just restrict queries to source addresses within the walled garden.
    >> If necessary, add level of NS record.


    Lorenzo> And do what in response to queries for that name coming
    Lorenzo> from outside the 
    Lorenzo> walled garden? Return REFUSED? Return NXDOMAIN? Drop the
    Lorenzo> query? None of 
    Lorenzo> these works, I think.

1) if you use an extra level of NS, then whomever asks for the AAAA
   will get a timeout.  By this, I mean:

   public example.com ns:
        walled.example.com IN    NS     ns.walled.example.com.
        ns.walled.example.com    IN     AAAA    4000:dead:beef::1

   (Let's assume that walled-gardens get clear Non-Connected Network
   allocation in 4000:/3, but it works fine with 2000:/3 space which is
   either un-advertised or firewalled)

   private walled.example.com ns:
        coolserver.walled.example.com   IN      AAAA 4000:dead:beef::2


   If you ask from within the walled garden, then you can talk to the
   4000:dead:beef:/48  network (and you do so from your 4000:/3 address),
   so you get an answer.

   If you ask from without, you get a timeout.  So even the name of the
   service is hidden, which is what I'm told the providers want.

2) if you do not use this extra level, but have a name server which
   the world can reach, then you can return whatever value you want.
   You can return a different AAAA too if you want.

But, tell how is this any different than what I'm told they originally
wanted, which is that we'd have:

        if($domain =~ /.*somesuffice.com$/) {
                   $ns = $walledgardendns;
        }

in applications and stub resolvers?    If you aren't in the walled
garden, what would the application do when $walledgardenns is not
reachable?

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
                       then sign the petition. 

pgpKYnIpWmtjW.pgp
Description: PGP signature

_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet