On 16 Jun 2010, at 07:56, Kostas Zorbadelos wrote:
Of course IPv6 produces a totally different world in many things and I guess reverse DNS is one of them.
+1
Although reverse DNS is used as a weak authentication mechanism today (if it can be characterized like that) it is not the only use. It is very convenient to see names instead of ugly IPv6 addresses in log files for instance.
I tend to agree. Though a cost/benefit analysis tends to suggest this convenience might not be worth the pain.
Now DDNS is another thought. Can you imagine that working however in an environment of multi-million mobile and consumer devices powering up often, in a secure and scalable way? I find it a challenge, though never say never :)
I imagine all sorts of things and you probably don't want to know what goes on inside my head. Really. :-) You're right to say that provisioning IPv6 PTR records for bazillions of edge devices is "challenging". In some cases it might not be worth the effort. [Would anyone care if the beer cans in my fridge had hostnames or if they got renumbered once I'd drunk them?] I think that was part of the argument that was being made about not bothering with PTRs for IPv6 addresses. Particularly for stuff that had transient or rapidly changing connectivity.
My personal preference would be to delegate the /80 (or whatever) to the end-user/customer and leave them to choose how to provision that zone. [Your mileage may vary...] This might work fairly painlessly with the tcp-self and 6to4-self hooks to the update-policy{} clause in BIND 9.7. Though that's still messy. It also relies on well-behaved clients which is perhaps unwise.
The hooks you are referring to in BIND are DDNS stuff?
Yes. The tcp-self and 6to4-self hooks allow clients to change the PTR for their own IPv6 address without needing a TSIG or other crypto token. The dynamic updates have to be made over TCP though.
The provider can populate and maintain this space prety much as it does today. Consider home equipment, PCs with Windows 7 or any other operating system with similar behaviour, which as we noticed, apart from the autoconfiguration address, produce random IPv6 addresses used in outgoing connections that change every couple of hours or so.
Add to all that some DNSSEC sugar ;-)
Yes. It's delightful, isn't it? The plug and play semantics of IPv6 pretty much force us down the road of DDNS for forward and reverse lookups if name<->address mappings matter. That in turn makes DNSSEC "interesting".