Re: Yahoo and IPv6

[Mark Andrews <marka () isc org>]

In message <51008.1305573225 () nsa vix com>, Paul Vixie writes:
> > Date: Mon, 16 May 2011 14:37:46 -0400
> > From: Jim Gettys <jg () freedesktop org>
> >
> > > perhaps i'm too close to the problem because that solution looks quite
> > > viable to me.  dns providers who don't keep up with the market (which
> > > means ipv6+dnssec in this context) will lose business to those who do.
> >
> > I don't believe it is currently viable for any but the hackers out there,
> > given my experience during the Comcast IPv6 trial.  Typing V6 addresses
> > (much less remembering them) is a PITA.
>
> > You are asking people who don't even know DNS exists, to bother to
> > establish another business relationship (or maybe DNS services might
> > someday be provided by their ISP).
>
> actually, i'm asking the opposite.  only hackers run their own dns mostly;
> the vast majority of users who don't know what ipv6 or dnssec are, are
> already outsourcing to ultradns/neustar, or verisign, or dyn.com, etc, or
> for recursive they're using opendns, google dns, etc.  these companies can
> either add the new services and do outreach to their customer bases, or
> they can allow their competitors to do so.
>
> of those who still run their own dns, the vast majority actually do know
> the dnssec and ipv6 issues facing them.
>
> > If you get past that hurdle they get to type long IPv6 addresses into a web
> > page they won't remember where it was the year before when they did this
> > the last time to add a machine to their DNS.
>
> i've been using ipv6 dual stack for ten years at ISC and for one year at
> home (i was comcast's first north american dual stack native customer) and
> the only time i type long ipv6 addresses is when editing dns zone files or
> configuring routers and hosts.  i think your experiences may have been
> worse than mine and i'll be interested in knowing whether they're common.
>
> > The way this "ought" to work for clueless home users (or cluefull users
> > too, for that matter) is that, when a new machine appears on a network, it
> > "just works", by which I mean that a globally routeable IPv6 address
> > appears in DNS without fussing around using the name that was given to the
> > machine when it was first booted, and that a home user's names are
> > accessible via secondaries even if they are off line.
>
> this is why ISC DHCP and ISC BIND can communicate using RFC 2136 DNS
> dynamic updates, secured with RFC 2845 transaction signatures.  once you
> get this running then you don't have to type ipv6 addresses anywhere.  and
> i know that infoblox and other BIND Inside appliance vendors have the same
> capability, and that Cisco and other DNS/DHCP vendors can also participate
> in these open standards pretty much out of the box.  this is what i worked
> on when i first found out about IETF back in 1995 or so.  it's all done now
> you just have to learn it and deploy it.  (and if you don't think end users
> ought to have to learn how to configure their DHCP to talk to their DNS,
> i will point them at a half dozen appliance and outsourcing vendors who can
> take the ones and zeroes out of this for them.)

Or the host can talk directly to the DNS server.  TSIG can scale
up to millions of clients with their own keys which may or may not
be share between machines.  Just because nameservers currently have
the keys in flat configuration files doesn't mean that it has to
stay that way.  The keys could just as easily be in a seperate
database which the nameserver only reads.  Similarly SIG(0) could
be used using KEY records stored in the DNS itself.

I believe MacOS already supports TSIG directly though they don't
call it that.  Windows could also add support to TSIG in addition
to GSS-TSIG for the non enterprise customers.  This really isn't
hard. You just store a keyname/secret pair for the machine to use
at boot time.  MacOS calls is account/password from memory.

The hard part is convincing people to do it by default.  This is
nothing more than what the dynamic DNS vendors have been doing for
the last decade.  If you want a custom zone you pay $X per month
extra otherwise you get the default zone for the ISP which doesn't
have to be the ISP's zone.

         machine{.subdomain}*.<cust-unique>.example.net

And as the updates are signed you can accept them from anywhere in
the world.

> > And NXDOMAIN should work the way it was intended, for all the reasons
> > you know better than I.
>
> while i agree, i don't think the people who are substituting positive
> responses for NXDOMAIN care at all what you think or what i think, so i'm
> going to focus on what can be done which is advancing robust solutions.
>
> > This is entirely possible ;-).  Just go ask Evan Hunt what he's been up to
> > with Dave Taht recently....
>
> more appliance vendors including open source are definitely welcome.  the
> pool is large enough for everybody to swim in it.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org