On 23-mei-2007, at 21:48, james woodyatt wrote:
Split DNS is a very dirty hack, we shouldn't promote that.
Strange. Section 4.4 of RFC 4193 seems expressly to prohibit-- with a normative "MUST NOT"-- the sending of reverse ULA-to-name queries to name servers operating in the global DNS horizon.
I'm quickly reaching the point where I don't even care about RFCs claiming authority over stuff like this.
With IPv6, we wanted to get back to a single address space, where there may not be universal reachability, but there IS universal addressability, i.e., it doesn't change with your vantage point. But by including language like this we get to _address_ the entire IPv6 internet, which is good, but we don't get to _name_ it regardless of vantage point, which is bad.
How are we supposed to use them *without* splitting from the public DNS horizon?
Good question. I hope the authors of RFC 4193 are asking themselves exactly that.
Split DNS is a really, really bad idea, because it's very hard to control the flow of DNS requests in a non-trivial network, and any leaks create problems that persist for a long time because of caching.
And what about the situation where companies X and Y have a VPN tunnel between them so their ULA networks are linked. Setting up routing for this is trivial (unless you run out of RFC 1930 private AS numbers) but how would this work DNS-wise? This gets real complex real fast if you can't touch the root servers for ULA addresses.
While I'm on the subject... doesn't IETF already prohibit recursive DNS resolvers operating in the global DNS horizon to follow name server delegations through names that have no AAAA records with globally routable addresses in them? If not, then I'd call that an oversight.
What's the use of forbidding (prohibiting has the connotation of implied successfulness) something that happens all the time and isn't going to stop?