On Thu, 23 Jan 2003 09:10:08 +0100 (CET) Erik Nordmark <[EMAIL PROTECTED]> wrote:
> > > I do not believe it is either necessary or appropriate to have DNS > > provide only addresses that are reachable by the party making the query. > > The question in my mind is whether it is appropriate to put addresses > that are by design not globally reachable in the DNS. As long as the addresses are unambiguous, I don't think this causes much harm. Putting a name-to-address binding in the DNS is a statement of fact - address A is associated with name N for length of time T - not an assurance that anyone who can lookup the DNS name can use the service associated with that name. The latter depends on several things - not only being able to reach the address but having permission to use the service, being able to authenticate to the service, being able to speak the appropriate protocols, etc. > But worse, the interaction between MX and A* records can cause more > spectacular failures. > Assume a MX for *.example.com with points at mail.example.com > AAAA for mail.example.com has both global and GUPI addresses. > Works so far, perhaps with timeouts. > > But when server.example.com has AAAA that is just GUPI then mail > delivery to [EMAIL PROTECTED] will fail when the GUPI is not reachable, > right? Yes it will. But not because you listed a GUPI in the DNS, but because you failed to provide and advertise a server that was reachable by somebody who wanted to send you mail. Even then, you're not under any obligation to accept mail from anyone who wishes to send it to you (RFC 2821 is quite clear on this - though indefinitely returning "temporary failure" would be considered antisocial). Let's put the question in a different light. In a sense, both v4 and v6 addresses are scoped - you cannot generally expect that a v4 host can communicate with a v6 host or vice versa. Attempts to provide general-purpose conversion between the two have fallen into some degree of disfavor because they introduce problems similar to those of NAT, and for various reasons it's not reasonable to expect all apps to support both kinds of addresses. So should we discourage sites from associating A or AAAA records with names because they're not globally reachable? It certainly makes sense to me to say "avoid using or advertising GUPIs when you have globals". -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------