[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNS and ULA

To: james woodyatt <jhw@apple.com>
Subject: Re: DNS and ULA
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Thu, 24 May 2007 11:26:55 +0200
Cc: IETF V6OPS WG <v6ops@ops.ietf.org>, dnsop@lists.uoregon.edu
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=CrujwT1IdDdwlerG030VeY2cUXfxKMuUr5VdtmhWgi8PCmYtFPB2goNfVeMKFKmSemnh0ew88dm+bc1teG4sefwSkzf5fZikCC+x0xkd04Uqynujb9yzkYLRh3eozqJDmc4JMHjVuaH6I2xfKJQaiQFhNnTDM/aF2HekbLP6BBw=
In-reply-to: <2E118EE2-E9C9-4508-ABAA-8A05EFE8597A@apple.com>
References: <20070521143828.GB17740@vacation.karoshi.com> <52F0686F-D9E0-423F-B90D-AEF4D51CC922@cisco.com> <20070521184048.GF31238@elvis.mu.org> <2094A476-F6B2-470E-9779-C52B481F0D09@cisco.com> <20070522003640.GI31238@elvis.mu.org> <A80093C8-5FCB-4563-A0B1-4E44C5E59775@cisco.com> <D4406F6D-1856-4D74-9964-31A066B8BB2F@muada.com> <CDE93B08-3199-438D-B59C-169D0D4230CF@apple.com> <4653F9F7.40309@gmail.com> <23C44099-9B56-4C85-B522-E5D7D671D4B7@muada.com> <16C915BB-4C3C-46CE-BF55-832CD8EAFC7C@apple.com> <4EEAB606-6386-40A1-9D8E-AC12C6950539@muada.com> <2E118EE2-E9C9-4508-ABAA-8A05EFE8597A@apple.com>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

On 2007-05-23 23:51, james woodyatt wrote:

On May 23, 2007, at 13:42, Iljitsch van Beijnum wrote:
And what about the situation where companies X and Y have a VPN tunnelbetween them so their ULA networks are linked. Setting up routing forthis is trivial (unless you run out of RFC 1930 private AS numbers)but how would this work DNS-wise? This gets real complex real fast ifyou can't touch the root servers for ULA addresses.
Obviously, I can't look up your name servers for$YOUR_ULA_PREFIX.ip6.arpa in the global DNS horizon. You have toprovide them to me when we merge our networks, and I have to configuremy DNS resolving proxies to use them instead of the global DNS whenlooking up names for nodes in your prefix. Furthermore, I already needto configure my resolving proxies to search your DNS horizon if I wantto resolve names for the addresses in your ULA prefix, and I don'tparticularly want to disclose the names of addresses in my ULA prefixeson the global DNS horizon, so you're going to have to do the same as me.


I think this demonstrates very clearly why repeating that split DNS is evil
will get us nowhere. Split DNS is very widely used, so (like RFC 1918 and NAT)
its evilness has to be dealt with. And no, I don't think that's easy.

   Brian

This is just a fact of life with IPv6 VPN and ULA. If I connect my homenetwork up to the Apple network through a VPN tunnel, I expect all mylookups for Apple-internal DNS names to resolve properly, and they won'tif I'm only searching the global DNS horizon. This virtual private DNShorizoning already works fine with IPv4 VPN tunnels. There's no reasonto think it won't just carry forward naturally into IPv6 VPN tunneling,so I fail to see the big deal.
What's the use of forbidding (prohibiting has the connotation ofimplied successfulness) something that happens all the time and isn'tgoing to stop?
That which is not forbidden is easily made mandatory. <smiley/>
If recursive resolvers operating in the global DNS horizon are permittedto follow delegations to name servers on ULA prefixes, then thosedelegations cannot be guaranteed to resolve to the same name serverseverywhere. Is that something we think resolvers are now doing all thetime? ...that we believe isn't going to stop? ...that we think isn'tan abomination against all that is hallowed in the name of the InternetSociety?
Why do resolvers need to do this, and why can't they be made to stop?
Look at it this way: a prohibition would serve to define the boundariesof the global DNS horizon better, making it the responsibility of theresolver to search only one horizon recursively at a time, i.e. arecursive search that begins at the global DNS root MUST NOT leave theglobal DNS horizon.
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering



--
NEW: Preferred email for non-IBM matters: brian.e.carpenter@gmail.com

References:
- Fwd: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: Fwd: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: bill fumerola <billf@mu.org>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: bill fumerola <billf@mu.org>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Fred Baker <fred@cisco.com>
- Re: [info@arin.net: [arin-announce] ARIN Board Advises Internet Community on Migration to IPv6]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: james woodyatt <jhw@apple.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: ARIN Board Advises Internet Community on Migration to IPv6
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: DNS and ULA
  - From: james woodyatt <jhw@apple.com>
- Re: DNS and ULA
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: DNS and ULA
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: DNS and ULA
Next by Date: Re: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
Previous by thread: Re: DNS and ULA
Next by thread: ULA (was Re: ARIN Board Advises Internet Community on Migration to IPv6)
Index(es):
- Date
- Thread