> Approach IPv6 as a new and different protocol.
Unfortunately, I gather this isn't what end users or network operators
want or expect. I suspect if we want to make real inroads towards
IPv6 deployment, we'll need to spend a bit more time making IPv6 look,
taste, and feel like IPv4 and less time berating folks for "IPv4-
think" (not that you do this, but others here do). For example,
getting over the stateless autoconfig religion (which was never fully
thought out -- how does a autoconfig'd device get a DNS name
associated with their address in a DNSSEC-signed world again?) and
letting network operators use DHCP with IPv6 the way they do with IPv4.
David you know as well as I do that DNSSEC is a orthognal
issue here.
The first issue is how do you assign a name to a object?
The second issue is how do you add that name to the DNS?
The third issue is how do you sign that change?
I solve it by give the machine a name. Adding a KEY record
at that name to the DNS, the private part the machine knows.
I then use SIG(0) to update the address records of the
machine whenever the addresses change. The DNS server that
accepts that update generated new RRSIGs for the records
affected by that change and the zone propogates out to the
servers using NOTIFY.
I update the reverse PTR records using tcp-self as the
authentication mechanism. tcp-self is weak but is strong
enough for the level of trust assigned to PTR records.
Again the DNS server generates appropriate signatures.
The machine's name is not tied to the network on which it
lives.
Mark