In message <d34d7bae-4781-4ae2-abb2-6d211c9b7...@virtualized.org>, David Conrad writes: > On Feb 17, 2009, at 11:28 AM, Tony Hain wrote: > > Approach IPv6 as a new and different protocol. > > Unfortunately, I gather this isn't what end users or network operators > want or expect. I suspect if we want to make real inroads towards > IPv6 deployment, we'll need to spend a bit more time making IPv6 look, > taste, and feel like IPv4 and less time berating folks for "IPv4- > think" (not that you do this, but others here do). For example, > getting over the stateless autoconfig religion (which was never fully > thought out -- how does a autoconfig'd device get a DNS name > associated with their address in a DNSSEC-signed world again?) and > letting network operators use DHCP with IPv6 the way they do with IPv4.
David you know as well as I do that DNSSEC is a orthognal issue here. The first issue is how do you assign a name to a object? The second issue is how do you add that name to the DNS? The third issue is how do you sign that change? I solve it by give the machine a name. Adding a KEY record at that name to the DNS, the private part the machine knows. I then use SIG(0) to update the address records of the machine whenever the addresses change. The DNS server that accepts that update generated new RRSIGs for the records affected by that change and the zone propogates out to the servers using NOTIFY. I update the reverse PTR records using tcp-self as the authentication mechanism. tcp-self is weak but is strong enough for the level of trust assigned to PTR records. Again the DNS server generates appropriate signatures. The machine's name is not tied to the network on which it lives. Mark > Or, we simply continue down the path of more NATv4. > > Regards, > -drc > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org