[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] SLAAC and DDNS

To: <dhcwg at ietf.org>
Subject: Re: [dhcwg] SLAAC and DDNS
From: <Greg.Rabil at ins.com>
Date: Fri, 27 Feb 2009 15:43:08 -0600
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: dhcwg at core3.amsl.com
In-reply-to: <20090227204954.GG3954 at isc.org>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <1E4636828B4AD841900A31378A9FE3CD01132116C7 at usemp11.ins.com> <20090227174153.GA3954 at isc.org> <8E296595B6471A4689555D5D725EBB210B7493CB at xmb-rtp-20a.amer.cisco.com> <1E4636828B4AD841900A31378A9FE3CD011321191A at usemp11.ins.com> <20090227204954.GG3954 at isc.org>
Thread-index: AcmZHP2TgvjufIeiSBmEZSWLebrg+gAAc0+A
Thread-topic: [dhcwg] SLAAC and DDNS

> No, in that case the server is selecting both the addresses and the hostname, and assigning them.  You're proposing that the client supply the addresses, which is not very different from simply updating DNS directly, 

Except that if you choose TSIG for dynamic update security, then you still need keys on all your clients.

> unless you provide the server with some way of validating that the DUID, FQDN, and addresses are consistent.

Why?  For RFC 4703/4704 behavior, a client provides the DUID and FQDN.  For a stateful DHCPv6, the server determines the address, for stateless DHCPv6, the client provides the address in the Info-Request.  In either case, if some malicious hacker were able to fabricate the proper DUID, he could cause pretty much the same havoc in both environments.
 
> You also need to work in the mechanism where the client and server negotiate through several trials to a domain name, which means you have to solicit offers, and make a request from the server you've selected, in order to arrive at a single domain name (rather than having 10 servers update 10 names at the same time).

I'm having trouble understanding the need for this.  If this were true, wouldn't a stateful server which supports 4703/4704 need to do this also?

> And you have to work out the lease time you're now going to be applying to these domain names.  They have to be removed from DNS at some point, and clients can probably not be trusted to reliably solicit for their removal.

Yes, I believe I had identified this problem in my initial post.  So far, I have only thought of some sort of "scavenger" that cleans up stale resource records.  But I'll be honest, that this may be a show-stopper.

Greg

Follow-Ups:
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins
- Re: [dhcwg] SLAAC and DDNS
  - From: Bernie Volz (volz)

References:
- [dhcwg] SLAAC and DDNS
  - From: Greg.Rabil
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins
- Re: [dhcwg] SLAAC and DDNS
  - From: Bernie Volz (volz)
- Re: [dhcwg] SLAAC and DDNS
  - From: Greg.Rabil
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins

Prev by Date: Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpinform-clarify-02.txt
Next by Date: Re: [dhcwg] SLAAC and DDNS
Previous by thread: Re: [dhcwg] SLAAC and DDNS
Next by thread: Re: [dhcwg] SLAAC and DDNS
Index(es):
- Date
- Thread