On Fri, 30 Jun 2006, JINMEI Tatuya / ¿ÀÌÀãºÈ wrote:
This time I'm also copying the ipv6 list. In fact, [EMAIL PROTECTED] would be
more suitable place for discussions on this proposal, since it's an
extension to ND.
...
Disclaimer: router-side support for this has been added (as it was
contributed by others) to radvd which I maintain. However, I do not
have a strong opinion on this topic one way or the other.
If this goes forward, as an implementor I'd like to get IANA codepoint
assigned quickly so that experiments would interoperate (and
implementors wouldn't need to steal the next unused value or wait for
draft-fenner-iana-exp-2780-05.txt to get published).
[whether IPv6 ND was designed for applictions above layer-3]
So,
+ I'd first like to confirm whether my understanding about the
'design principle' is correct. If it's wrong, then I'm fine and
this concern will be resolved.
+ if my understanding is correct, I'd like this document to discuss
why this particular option is so special and needs to be defined
despite the violation of the principle, and to add an explicit
note that configuration information around this layer should not
be provided via RA unless there is a very strong reason.
The IETF doesn't do a very good job of documenting (and gaining
consensus on) its design principles, so for any opinions you might get
on this, you would also have opposite opinions, and hence I'm not sure
how useful pursuing this line of argument is.
I guess this underlines that to avoid fuss like this in the future,
better documentation of design principles might avoid ratholes.
This flag
SHOULD be set only if the routers or firewalls in
the network allow DNS Query messages to be routed
to the destination RDNSS without being filtered
out, and the RDNSS is configured to perform
recursive queries for all hosts regardless of
their addresses.
My understanding is that current operational trend is generally
against such "open recursive servers" as documented in
draft-ietf-dnsop-reflectors-are-evil-00.txt. So I'm skeptical about
the usefulness of this flag. Standardizing such a practice may even
be regarded as a conflict with the operational trend.
I don't have a strong opinion by pointing it out, but I might
consider removing this flag.
This is a good point and at the very least should be pointed out in
the security considerations. However, the text as written does not
preclude DNS server requiring other form of identification (e.g.,
TSIG) instead of addresses. In practice, I doubt such authentication
would be used very often.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------