-----Original Message-----
From: Ted Lemon [mailto:Ted(_dot_)Lemon(_at_)nominum(_dot_)com]
Sent: Thursday, December 01, 2005 3:58 PM
To: Hallam-Baker, Phillip
Cc: Sam Hartman; namedroppers(_at_)ops(_dot_)ietf(_dot_)org; Bernie Volz
(volz); ietf(_at_)ietf(_dot_)org; iesg(_at_)ietf(_dot_)org;
dhcwg(_at_)ietf(_dot_)org; Steven
M. Bellovin; Pekka Savola
Subject: Re: [dhcwg] Re: DHCID and the use of MD5 [Re: Last
Call:'Resolution ofFQDN Conflicts among DHCP Clients' to
ProposedStandard]
On Thursday 01 December 2005 12:31, Hallam-Baker, Phillip wrote:
My criteria here are that the DNS should support an extension
mechanism that allows the definition of new records at will without
the need to deploy ANY new code at either the client or the server.
Right, we have that. It's called the RRtype. Many, many
type codes are
NO YOU DO NOT
The majority of the deployed DNS infrastructure does not have the
ability to service new RRs.
The opposite claim has been advanced on several occasions but it is
untrue. There is NO version of the Windows DNS server capable of
PRODUCTION publication of new DNS RRs. A registry hack that does not
survive a reboot does not count. Microsoft has shown the actual DNS code
for saving a zone file, new RRs are simply not handled.
Its not just the dns servers, it's the firewalls and a whole
intermediate layer of RPC services that are used to implement DNS calls
in a large number of real environments.
available. Requiring the use of additional labels and not
taking advantage of the very nice DNS update prerequisite
support because someone doesn't want
to support transparent addition of RRtypes is pathetic.
The DNSEXT group has yet to explain how a production quality DNS server
can add support for a new RR without the need for new code. The ability
to add in blobs of raw hex data does not cut it.
We've had the
capacity to extend option codes in every DHCP server (as well as most
clients) in existence practically since day one, and that's a
much more complicated problem than handling new RRtypes.
DHCP should stick to reporting the IP address. The idea that
configuration services should be configured at the network connection
level is ridiculous. The fact I am on an ethernet segment does not mean
that I trust it or want anything to do with it. If I am on public WiFi
the idea is nonsense on stilts.
I would like to discontinue the practice of assigning the domain name
prefix and the DNS servers from DHCP by default. The domain name prefix
should be defined during the MACHINE network configuration alone. The
use of DHCP discovered DNS servers is a major security hazzard. All DNS
transactions should be TSIG signed.
I will accept the use of DHCP to assist initial machine configuration
and local network configuration. Use of an unauthenticated broadcast
protocol for application configuration is nonsense.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf