>> (which was never fully
>> thought out -- how does a autoconfig'd device get a DNS name
>> associated with their address in a DNSSEC-signed world again?) and
>> letting network operators use DHCP with IPv6 the way they do with
>> IPv4.
> David you know as well as I do that DNSSEC is a orthognal
> issue here.
My understanding, which may well be wrong, is that:
- stateless auto-configuration assumes the client will update the
address to name association once it has obtained the address.
- In order to do this, the DNS server needs to support Dynamic DNS.
- If DNSSEC is in use, it requires the use of on-line signing keys.
- Security folks get unhappy when you mention on-line signing keys.
Security is about managing risk not eleminating all risks
as that is a unobtainable goal. Security folks that don't
understand that don't understand their jobs.
Solution?
- Don't have address to name associations
- Don't worry about (or accept lesser) security on address to name
associations.
DNSSEC is design to work with off-line signing if that is
the security level you require. It doesn't however require
off-line signing.
A HSM which just prevents access to the private key is more
than enough for most deployment senarios.
Of course the DNSSEC bit is sort of moot, as I suspect there aren't a
whole lot of ISPs in a position to support dynamic updates from
clients...
Actually I suspect they are all in a position to do so as
the software to do this was deployed by the major vendors
last century.
What it takes is for them to move from the arcane dialup
model where there was not point in doing this to the
semi-static model where there is a point in letting the
leasees have the ability to record the names of their
machines in the DNS. In otherwords ISP's need to enter the
21st century.
Mark
Yeah, those stupid, lazy, ISPs. I'm sure they're just sitting around every day, kicking back, eating Bon Bons(tm), and thinking of all the new and interesting ways they can burn the vast tracts of ill-gotten profits they're obviously rolling in.
Reality check: change in large scale production networks is hard and expensive. There needs to be a business case to justify making substantive changes. You are arguing that ISPs should make changes without any obvious mechanism to guarantee some return on the investment necessary to pay for those changes. This is a waste of time.
In general, NAT is paid for by the end user, not the network provider. Migrating to IPv6 on the other hand is paid for entirely by the network provider. Guess which is easier to make a business case for?
Note that I'm not saying I like the current state of affairs, rather I'm suggesting that jumping up and down demanding ISPs change because you think they're stuck in the last century is unlikely to get you very far. You want a concrete suggestion? Make configuring DDNS on BIND _vastly_ simpler, scalable to tens or hundreds of thousands of clients, and manageable by your average NOC staff.
Regards,
-drc
You are arguing that ISPs should make changes
without any obvious mechanism to guarantee some return on the
investment necessary to pay for those changes.
Nail on the head and the 800 pound gorilla in the room. Japan gave tax incentives which helped their ISP's to move to IPv6. Find a lazy lobbyist who can educate a senator to say that there will be no more tubes left on the internet and slide a tax incentive into the next stimulus package ![:slight_smile: :slight_smile:](https://community.nanog.org/images/emoji/apple/slight_smile.png?v=12)
Zaid
Japan gave tax incentives which helped their ISP's to move to IPv6.
i am writing this from my home office in tokyo. i have the latest
fanciest wizbang ftth bflets 100/100 from ntt. native ipv6 is not
offered on it.
if i connect a v6 device to it, it gives me a v6 AC and RA. but
that is for the closed walled garden voip phone service.
randy