On Feb 17, 2009, at 1:55 PM, Mark Andrews wrote:
(which was never fully thought out -- how does a autoconfig'd device get a DNS name associated with their address in a DNSSEC-signed world again?) and letting network operators use DHCP with IPv6 the way they do with IPv4. David you know as well as I do that DNSSEC is a orthognal issue here.
My understanding, which may well be wrong, is that: - stateless auto-configuration assumes the client will update the address to name association once it has obtained the address. - In order to do this, the DNS server needs to support Dynamic DNS. - If DNSSEC is in use, it requires the use of on-line signing keys. - Security folks get unhappy when you mention on-line signing keys. Solution? - Don't have address to name associations - Don't worry about (or accept lesser) security on address to name associations. Of course the DNSSEC bit is sort of moot, as I suspect there aren't a whole lot of ISPs in a position to support dynamic updates from clients... Regards, -drc