[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS and ULA

To: IETF V6OPS WG <v6ops@ops.ietf.org>
Subject: Re: DNS and ULA
From: james woodyatt <jhw@apple.com>
Date: Wed, 23 May 2007 14:51:53 -0700
Cc: dnsop@lists.uoregon.edu
In-reply-to: <4EEAB606-6386-40A1-9D8E-AC12C6950539@muada.com>
References: <20070521143828.GB17740@vacation.karoshi.com> <52F0686F-D9E0-423F-B90D-AEF4D51CC922@cisco.com> <20070521184048.GF31238@elvis.mu.org> <2094A476-F6B2-470E-9779-C52B481F0D09@cisco.com> <20070522003640.GI31238@elvis.mu.org> <A80093C8-5FCB-4563-A0B1-4E44C5E59775@cisco.com> <D4406F6D-1856-4D74-9964-31A066B8BB2F@muada.com> <CDE93B08-3199-438D-B59C-169D0D4230CF@apple.com> <4653F9F7.40309@gmail.com> <23C44099-9B56-4C85-B522-E5D7D671D4B7@muada.com> <16C915BB-4C3C-46CE-BF55-832CD8EAFC7C@apple.com> <4EEAB606-6386-40A1-9D8E-AC12C6950539@muada.com>

On May 23, 2007, at 13:42, Iljitsch van Beijnum wrote:

And what about the situation where companies X and Y have a VPNtunnel between them so their ULA networks are linked. Setting uprouting for this is trivial (unless you run out of RFC 1930 privateAS numbers) but how would this work DNS-wise? This gets realcomplex real fast if you can't touch the root servers for ULAaddresses.

Obviously, I can't look up your name servers for$YOUR_ULA_PREFIX.ip6.arpa in the global DNS horizon. You have toprovide them to me when we merge our networks, and I have toconfigure my DNS resolving proxies to use them instead of the globalDNS when looking up names for nodes in your prefix. Furthermore, Ialready need to configure my resolving proxies to search your DNShorizon if I want to resolve names for the addresses in your ULAprefix, and I don't particularly want to disclose the names ofaddresses in my ULA prefixes on the global DNS horizon, so you'regoing to have to do the same as me.

This is just a fact of life with IPv6 VPN and ULA. If I connect myhome network up to the Apple network through a VPN tunnel, I expectall my lookups for Apple-internal DNS names to resolve properly, andthey won't if I'm only searching the global DNS horizon. Thisvirtual private DNS horizoning already works fine with IPv4 VPNtunnels. There's no reason to think it won't just carry forwardnaturally into IPv6 VPN tunneling, so I fail to see the big deal.

What's the use of forbidding (prohibiting has the connotation ofimplied successfulness) something that happens all the time andisn't going to stop?


That which is not forbidden is easily made mandatory. <smiley/>

If recursive resolvers operating in the global DNS horizon arepermitted to follow delegations to name servers on ULA prefixes, thenthose delegations cannot be guaranteed to resolve to the same nameservers everywhere. Is that something we think resolvers are nowdoing all the time? ...that we believe isn't going to stop? ...thatwe think isn't an abomination against all that is hallowed in thename of the Internet Society?


Why do resolvers need to do this, and why can't they be made to stop?

Look at it this way: a prohibition would serve to define theboundaries of the global DNS horizon better, making it theresponsibility of the resolver to search only one horizon recursivelyat a time, i.e. a recursive search that begins at the global DNS rootMUST NOT leave the global DNS horizon.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: DNS and ULA
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

References:
- Fwd: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: Fwd: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: bill fumerola <billf@mu.org>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: bill fumerola <billf@mu.org>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: DNS and ULA
  - From: james woodyatt <jhw@apple.com>
- Re: DNS and ULA
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: DNS and ULA
Next by Date: Re: DNS and ULA
Previous by thread: Re: DNS and ULA
Next by thread: Re: DNS and ULA
Index(es):
- Date
- Thread