Except there really is no vendor lock anymore. It is
possible to automate the entire renumbering process. If
there are spots where it is not automated then they should
be found and fixed.
Oh man, that's rich. Do you actually believe that?
If you design the network for IPv6 and not just copy the
IPv4 model. If you use the technology that has been developed
over the last 20 years, rather than disabling it, yes it is
That helps, but understanding of IPv6 and mindshare is even harder than
I'll agree that it is hard. That's why the clue x 4 keeps having
to be applied.
And you have to educate everyone who might need to configure an application,
not just network admins.
The network admins are a early step.
And if you start
looking for technology that would let you automate renumbering your
entire network, you might find that the technology that exists is
incomplete and unproven.
Which is why I keep saying. Run through the renumbering exercise.
Find the problems. Report them to your vendors. Vendors being
proactive would be a big help here.
I have yet to see a reliable, standard way to
transmit address-based access-control information to applications, for
instance. (don't tell them to use DNS, because besides being too
unreliable to use for this, I am not aware of a DNS record that can
transmit a list of IP address prefix/netmask pairs to applications,
or of a standard API that would allow applications to find such
They also exist.
oh yes, and practical use of DNS security still seems to
It will as long as people don't actually sign there zones.
Have you asked for cs.utk.edu to be signed?
% dig dnskey cs.utk.edu
; <<>> DiG 9.3.4-P1 <<>> dnskey cs.utk.edu
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46982
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;cs.utk.edu. IN DNSKEY
;; AUTHORITY SECTION:
cs.utk.edu. 900 IN SOA dns01.cs.utk.edu.
miturria.cs.utk.edu. 2007090900 10800 1800 604800 900
;; Query time: 387 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 14 00:46:21 2007
;; MSG SIZE rcvd: 79
and yeah, we shouldn't be using IP addresses for access
control - but the general purpose technology to replace that doesn't
seem to exist yet, so for the time being people are making do with what
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
Ietf mailing list