[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS and ULA



On 2007-05-23 23:51, james woodyatt wrote:
On May 23, 2007, at 13:42, Iljitsch van Beijnum wrote:

And what about the situation where companies X and Y have a VPN tunnel between them so their ULA networks are linked. Setting up routing for this is trivial (unless you run out of RFC 1930 private AS numbers) but how would this work DNS-wise? This gets real complex real fast if you can't touch the root servers for ULA addresses.

Obviously, I can't look up your name servers for $YOUR_ULA_PREFIX.ip6.arpa in the global DNS horizon. You have to provide them to me when we merge our networks, and I have to configure my DNS resolving proxies to use them instead of the global DNS when looking up names for nodes in your prefix. Furthermore, I already need to configure my resolving proxies to search your DNS horizon if I want to resolve names for the addresses in your ULA prefix, and I don't particularly want to disclose the names of addresses in my ULA prefixes on the global DNS horizon, so you're going to have to do the same as me.

I think this demonstrates very clearly why repeating that split DNS is evil
will get us nowhere. Split DNS is very widely used, so (like RFC 1918 and NAT)
its evilness has to be dealt with. And no, I don't think that's easy.

   Brian

This is just a fact of life with IPv6 VPN and ULA. If I connect my home network up to the Apple network through a VPN tunnel, I expect all my lookups for Apple-internal DNS names to resolve properly, and they won't if I'm only searching the global DNS horizon. This virtual private DNS horizoning already works fine with IPv4 VPN tunnels. There's no reason to think it won't just carry forward naturally into IPv6 VPN tunneling, so I fail to see the big deal.

What's the use of forbidding (prohibiting has the connotation of implied successfulness) something that happens all the time and isn't going to stop?

That which is not forbidden is easily made mandatory. <smiley/>

If recursive resolvers operating in the global DNS horizon are permitted to follow delegations to name servers on ULA prefixes, then those delegations cannot be guaranteed to resolve to the same name servers everywhere. Is that something we think resolvers are now doing all the time? ...that we believe isn't going to stop? ...that we think isn't an abomination against all that is hallowed in the name of the Internet Society?

Why do resolvers need to do this, and why can't they be made to stop?

Look at it this way: a prohibition would serve to define the boundaries of the global DNS horizon better, making it the responsibility of the resolver to search only one horizon recursively at a time, i.e. a recursive search that begins at the global DNS root MUST NOT leave the global DNS horizon.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering






--
NEW: Preferred email for non-IBM matters: brian.e.carpenter@gmail.com