[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is there agreement on ddns (or any such) with autoconfigured hosts?

On Tue, Jun 28, 2005 at 03:12:49PM -0400, Michael Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "Marc" == Marc Singer <elf@buici.com> writes:
>     Marc> I've read many threads on the DNS including an extended one
>     Marc> from 1999.  As far as I can tell, there doesn't seem to have
>     Marc> been a consensus about how to handle dynamic updates to DNS
>     Marc> from autoconfigured hosts.  It isn't important to me that I
>     Marc> have reverse lookups, nor do I even care if I have to use
>     Marc> stateful configuration.  I'm just not seeing all of the
>     Marc> pieces.
> 
>     Marc>   o Is there a DHCPv6 server running on Debian?
>     Marc>   o Is there a dynamic DNS update mechanism is place for
>     Marc> stateless-autoconfigured hosts?
> 
>   I know of no DHCPv6 code for debian, nor any clients.
> 
>   They exist, but I haven't seen them. I'd run them. I see no way to do
> DDNS without state. I also see lots of reasons why I want state in my
> address configuration, something which the v6-purists never have
> comprehended. 
>   (It's because they mostly build routers and never think about
> applications) 
> 
>   I know of no feasible way to do DDNS for stateless-autoconfiguration
> hosts. 
> 
>   This is a problem I'd like to solve, so that I can do wavesec.org on
> ipv6.

There is a long thread about this from 1999 on the ietf namedroppers
list.  There was no consensus due to conflicting desires for
correctness and security.

I don't think that the problem is intractable.  Even stateless
autoconfig is amenable assertions of connectivity.  The machine that
announces the network (radvd) could perform a connectivity check and
probe for known hosts.  

  o On seeing a some ICMP traffic from an unknown host, a DNS entry is
    inserted for it.  Unknown hosts get policy generated names.  Known
    hosts (known mac addresses) may receive something else.  I don't
    believe there is any sort of declaration of a name from an
    addrconf'ing host.
  o Attempts to insert a duplicate name should be challenged, looking
    for the presence of the previous host.  May result in pulling the
    DNS entry automatically.
  o Periodic checks for live hosts will cul out-dated entries.

The list talked about maintaining user's complete name.  Paul Vixie
wanted paul.vixie.org to follow his notebook.  Interesting idea.  All
it really requires is his notebook sending an update to his home DNS
server.  IMHO, that's outside the scope of the immediate problem.

Other than that, there isn't much to it.  I believe a small C program
could do the trick.  I may take a crack at it, but I need to read a
bunch of the RFCs before getting too crazy.

The security nuts were all over this.  They wanted key exchanges and
the works.  I think that's overkill.  If this mechanism is supported
by policy, then it is OK.  If someone is concerned, then don't run the
DNS update protocol.

Cheers.
Reply to: