On 03/11/2012 11:25 AM, Ted Lemon wrote: > On Mar 11, 2012, at 11:03 AM, Jim Gettys <j...@freedesktop.org > <mailto:j...@freedesktop.org>> wrote: >> I think there is an interesting question of whether interior *names* >> should be automatically published into the global DNS by default or >> not, which will depend on the security of the devices and systems and >> the users' expertise, if only to make it a bit harder for attackers to >> discover interior systems to attack (since with IPv6 finding them by >> brute force address space search is relatively hard). > > Doesn't making the zone non-enumerable and disabling zone transfers > address this problem? I guess you could still do a dictionary attack > on the zone and decrease the cost of the search somewhat in the usual > case, but it's a pretty sketchy way to try to start an attack. > Having said that, I think it's probably fine to disable propagation of > the zone by default, except that then we have to figure out what to > name the non-propagated zone, and how to deal with the transition from > non-propagated to propagated. >
Had been thinking more along the line of the multiple "view" stuff in bind; there would be/is already a public view, and then a private view only visible internally. - Jim _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet