[6bone] Request: two 6bone pTLAs

[Lars-Johan Liman]

iljitsch at muada.com:
> Now that I have your attention...

> For some time, I've been unhappy with the progress (or rather, lack
> thereof) in the area of DNS resolver discovery/configuration in IPv6.

> I've been advocating the well-known address (WKA) approach, as setting
> up DNS resolvers at well-known addresses doesn't require changes to
> existing implementations, and thus provides instant relief to those of
> us who want to experiment with running IPv6 in environments where
> having a way to automatically determine IPv6 DNS resolver addresses is
> important.

> ...

Iljitsch,

While I recognize that automagically finding resolvers can be quite
important, I think that WKAs have already been proven to be not a dead
end, but a velodrome from which you cannot escape, and where you just
have to pedal faster and faster. There have, as you know, been a
number of proposals on how to discover a suitable resolver, and I will
make my voice heard against any solution that, by necltect, lack of
understanding, disrespect, and/or pure stupidity, automagically will
inject traffic into a third party's systems in a non-deterministic
way.

My strong feeling is that:

1) A client system shouldn't spew packets (DNS or other) on any other
   host, without local configuration to make it do so - preferrably
   through a local configurations service such as DHCP. This can be
   done within my own network or by my ISP, but the point is that it's
   a configuration that is local, and that can be adjusted as needed
   with reasonably short notice; and that an active measure is
   taken to make something happen.

   I really dislike a system where I or my ISP can be forced into
   starting an anycast instance just to balance the traffic and make
   sure that the service to the "local" clients is up to standard.

   Things shouldn't be turned "on" by default on the Internet, they
   should be turned "off". Otherwise you stand the risk of ending up
   like Windows, where every bell and whistle is turned on by default
   - open for each and every cracker to take advantage
   of. Automagically having them turned "on" also puts you in an
   awkward position from a legal standpoint:

   E.g., in court:

   Party1: "You keep bombarding me with traffic!"
   Party2: "I haven't turned on anything such, so it can't be my fault!"

2) Locking these well known addresses into systems is likely to cement
   the use of 6bone addressees in a way that we *REALLY* don't want
   to. How long did it take to wiggle out of the official use of net
   10.0.0.0/8?

3) I think it opens up a Pandora's box of security issues that I, for
   one, don't want to touch even with my thickest gloves. (Regardless
   of the fact that DNSSEC (which *still* isn't operational - *that's*
   something for you!) is designed to be able to cope with mischievous
   resolvers.)

4) Comparing it to the anycast system that some of the root name
   servers (i.root-servers.net for one), is highly inapropriate,
   because in the root-ns case, all of the anycast instances are
   manages by the same operational entity, which gives a very good
   overview of traffic patterns and service levels. The system can be
   dynamically balanced to function well. This is not case when you
   have an anycast system where anyone can put in their service.

   A comparison with the AS112 system to service reverse mapping for
   the RFC 1918 address space would be more apropriate, but would
   still be limping, since the data is non-existing, and the whole
   point of that project is to return "NXDOMAIN", not active data.

DHCP is the way to go. It's there, it works, it's been proven to fit
into really small appliances.

YMMV.

				Cheers,
				  /Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.	! E-mail: liman at autonomica.se
# Senior Systems Specialist     ! HTTP  : //www.autonomica.se/
# Autonomica AB, Stockholm 	! Voice : +46 8 - 615 85 72
#----------------------------------------------------------------------