[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.

To: Robin Whittle <rw at firstpr.com.au>
Subject: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
From: Gert Doering <gert at space.net>
Date: Fri, 3 Aug 2007 11:51:00 +0200
Cc: ram at iab.org
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=XEM1PKCC8GJhOsLVRBKLtRI8kJx3CO1t60AHmbJkmZP0VA+GApx8fSUyEiBZIsca ;
In-reply-to: <46B294D6.7070700@firstpr.com.au>
List-archive: <http://www1.ietf.org/pipermail/ram>
List-help: <mailto:ram-request@iab.org?subject=help>
List-id: Routing and Addressing Mailing List <ram.iab.org>
List-post: <mailto:ram@iab.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
References: <46B294D6.7070700@firstpr.com.au>
User-agent: Mutt/1.4.2.1i

Hi,

On Fri, Aug 03, 2007 at 12:37:10PM +1000, Robin Whittle wrote:
> If a server as an SSL certificate, that is specific to its physical
> IP address.  No amount of automation can help with that, or the cost
> and time-delay of getting another certificate.

Doing so in the first place could be considered a mistake.  The nice thing
about *names* is that you can (and should!) tie the SSL certificate to the 
domain name that you want to secure, not to the IP address.

[..]
> As far as I know, this notion of IPv6 end-users supposedly being
> happy with PA space and automated renumbering has been going on for
> ten years or so.  Hadn't anyone thought of all the config files
> (named, httpd, imapd, firewall etc.), SSL certs, DNS delegation etc.?

Most end user networks neither run name servers nor SSL certs, etc., in
their network range - they delegate that task to their service providers.

"all the config files" should contain host names, not IP addresses
(that's what DNS has been invented for, half a century ago).

Of course there are larger "end users" (corporate networks) that have
local servers in their network - but even then, with proper planning
in the setup phase (and that means "not putting IP addresses in places
that should have server names"), renumbering is not painless, but also
not impossible.  It mostly boils down to firewall rules, and changing
glue for a few name servers (again, the "proper planning" thing).

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

_______________________________________________
RAM mailing list
RAM at iab.org
https://www1.ietf.org/mailman/listinfo/ram

Follow-Ups:
- Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
  - From: Robin Whittle
- [RAM] Re: Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
  - From: Stephane Bortzmeyer

References:
- [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
  - From: Robin Whittle

Prev by Date: Re: [RAM] First cut at routing & addressing problem statement
Next by Date: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Previous by thread: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Next by thread: [RAM] Re: Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Index(es):
- Date
- Thread