Re: [dhcwg] Could you launch WGLC for draft-ietf-dhc-addr-registration-06
"Bernie Volz (volz)" <volz@cisco.com> Tue, 09 September 2014 21:57 UTC
Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A97061A8935 for <dhcwg@ietfa.amsl.com>; Tue, 9 Sep 2014 14:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.853
X-Spam-Level:
X-Spam-Status: No, score=-15.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFZiyTwzv-j1 for <dhcwg@ietfa.amsl.com>; Tue, 9 Sep 2014 14:57:12 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83E751A8932 for <dhcwg@ietf.org>; Tue, 9 Sep 2014 14:57:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8396; q=dns/txt; s=iport; t=1410299833; x=1411509433; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=TrpOxN9PbuUCvOjb5ScBX8x9OmijO4e2RX+erngAUz8=; b=gk33CQJI2Zc+OYkru+MeGPEHR0WbDuntiKb175nqKXO2Pfb1kas6zgIN D18GLaHkKcMTiLHT8z2kjGc5N6gDou/tO//gnNudNS1ic+BEQHkXHELlh vuFYWKl2TB2hylP4YmzKG4P59G9GNKEDBd1XIYUS7Sp2+0p+MRInBfzGF E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAMZ2D1StJA2L/2dsb2JhbABZgw1TVwSCeMcqh1ABGXQWeIQDAQEBAwEjET4HBQcEAgEIEQQBAQMCBh0DAgICHxEUAQgIAgQBDQUIE4gTAwkIp16OfA2GXQEXgSyLdAuBcRYbBwaCczaBHQWRQYQwhHKDb40UhjuBZYF8bIEGBzuBBwEBAQ
X-IronPort-AV: E=Sophos;i="5.04,493,1406592000"; d="scan'208";a="353869423"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-2.cisco.com with ESMTP; 09 Sep 2014 21:57:12 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s89LvB4J021621 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 9 Sep 2014 21:57:11 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.78]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Tue, 9 Sep 2014 16:57:11 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: 神明達哉 <jinmei@wide.ad.jp>, Sheng Jiang <jiangsheng@huawei.com>
Thread-Topic: [dhcwg] Could you launch WGLC for draft-ietf-dhc-addr-registration-06
Thread-Index: AQHPyF6G8Uy2uoGcyE2zxO0zMLiaxJvxMTtAgAH1pACABZwmAIAA1TUA//++MUA=
Date: Tue, 09 Sep 2014 21:57:11 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1B6865F2@xmb-rcd-x04.cisco.com>
References: <5D36713D8A4E7348A7E10DF7437A4B923AF14CDA@nkgeml512-mbx.china.huawei.com> <489D13FBFA9B3E41812EA89F188F018E1B67C31F@xmb-rcd-x04.cisco.com> <CAJE_bqckKCi+5PH1enscH+cqDgX9eUFi9PBUeRfsrdesc4ApHQ@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AF15356@nkgeml512-mbx.china.huawei.com> <CAJE_bqeXskZ4yBqtZ1RmGj5H0RdK_rqSX3pBCeOk-tcQ-jqJkQ@mail.gmail.com> <489D13FBFA9B3E41812EA89F188F018E1B67E7F5@xmb-rcd-x04.cisco.com> <CAJE_bqfEkUX_tpqhPLm-M7VF8oEx2oAUAOM--2A1WZeQo0-7gg@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AF17F3A@nkgeml512-mbx.china.huawei.com> <CAJE_bqfqHu1C2hpt4QGGBeQZyEwiBDeTTy0p=33CR=CSFBry5g@mail.gmail.com>
In-Reply-To: <CAJE_bqfqHu1C2hpt4QGGBeQZyEwiBDeTTy0p=33CR=CSFBry5g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [161.44.70.111]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/hvr0oZbzS_YhHtTXLjEoDzBknSw
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "draft-ietf-dhc-addr-registration@tools.ietf.org" <draft-ietf-dhc-addr-registration@tools.ietf.org>
Subject: Re: [dhcwg] Could you launch WGLC for draft-ietf-dhc-addr-registration-06
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 21:57:14 -0000
Jinmei: > I simply didn't see a point of introducing a new protocol for it, but if I'm the only person who thinks so or who just can't see the advantage of the proposed approach, I'll shut up here rather than try to persuade the wg on it. I think the two choices that exist today are (if you want to have clients use IPv6 and have entries in DNS - let's ignore whether these are forward or reverse): 1. Use DHCPv6 to assign addresses and have the DHCP server update DNS server. 2. Allow clients to do the update themselves (this may require TSIG or other key distribution, or just wide open access). And given that: 1. There is some set of people (client implementors and network operators) that don't want to use stateful (DHCPv6) and hence only want stateful address assignment. 2. There is some set of people that want DNS to be updated when addresses are assigned. 3. Many clients today don't update DNS or even try to. 4. If the clients did update DNS, there may be networks where the administrator wants to require some kind of trust relationship and thus you end up with a key distribution problem. Now the core question is whether using DHCPv6 or fixing #3 (and #4) on the list is easier or harder than this proposal? It obviously requires changes (updates) on the clients (since they must initiate the registration requests). Whether we want this draft's option as a possible tool is a good and relevant question. We could certainly offer it as a 'tool' to enable this, but whether client implementations will implement this and what it might mean in terms of network costs for the (re)transmissions when not offered is an interesting question (i.e., why am I seeing all this DHCPv6 traffic when there is no DHCPv6). Personally, I haven't been that enthusiastic about this draft because I think we have a solution for existing networks (use DHCPv6) and this requires nothing more for clients to implement (that support DHCPv6). And, adding more baggage to clients doesn't help (yet another protocol). Sure, this may be 'simpler' than implementing a full stateful DHCPv6 client and deploying DHCPv6 servers, but there are other benefits to implementing DHCPv6 (such as being able to connect on more networks)? Is there anyone that intends to implement this for "popular" client operating system should it advance? Solving the IPv6 DNS issue is I think useful work for the IETF. Though I'm not sure we're the best prepared to work on it; I think it ended up with us because it is using the DHCPv6 "protocol". As WG co-chair, I'll work to advance the WG consensus regarding this (and any other) document. - Bernie -----Original Message----- From: jinmei.tatuya@gmail.com [mailto:jinmei.tatuya@gmail.com] On Behalf Of ???? Sent: Tuesday, September 09, 2014 4:14 PM To: Sheng Jiang Cc: Bernie Volz (volz); dhcwg@ietf.org; draft-ietf-dhc-addr-registration@tools.ietf.org Subject: Re: [dhcwg] Could you launch WGLC for draft-ietf-dhc-addr-registration-06 At Tue, 9 Sep 2014 07:30:46 +0000, Sheng Jiang <jiangsheng@huawei.com> wrote: > In many networks, the administrator would not want to distribute the address of authoritative name-server. Also, as far as I know, there is no way to propagate the address of authoritative name server by any protocols. So, the clients does not know where to send their DNS records. But they can send their request by DHCP multicast address. You don't need any special protocol for that. A host can begin with an SOA query for its own FQDN (such as host.example.com/SOA) towards the root until it finds a deepest SOA (example.com/SOA, com/SOA, then ./SOA). Once the deepest SOA record is found, the host can resolve the AAAA or A record of its MNAME, and then send a DDNS update to that address. ISC's nsupdate works that way. > It is safer for the address registration server, which is under the same management with the authoritative name-server, to know the address of the authoritative name-server and make registration requests on behalf of clients. "safer" is vague, and I don't know exactly what you mean by this. > It is easy to establish and *manage* one trust relationship between a DHCPv6 (address registration) server and the authoritative name-server, but it is much more difficult to manage trust relationships with many clients. This argument doesn't make sense to me. You'll still need to "*manage* trust relationships" between the DHCPv6 server and many clients, right? Otherwise an arbitrary client can force the DHCPv6 server to register a name-address mapping. And then you'll face the same level of management issue. I tried to make this point clearer in my previous comment...maybe I wasn't clear enough? > Also, the deployment of address registration server would help the administrator to manage the DNS records among multiple DNS servers. I don't get this either. Do you mean the primary authoritative DNS server is different for the forward and reverse mappings? I don't see a strong reason why this is a problem just with DDNS request once you solve the trust relationship issue (and, again, the issue is common for both approaches AFAICS). Since two approaches are different, it wouldn't be impossible to find some case that is specific to one approach (although, so far, I've not even seen it). But when one wants to introduce a new protocol extension for something that can be done by an existing tool, IMO we need a quite stronger argument to explain why an existing technology doesn't work. At least to me, the current draft text is largely weak on this point, and I don't think I've seen a point that can provide such an argument in this discussion. That said...as noted earlier in a separate message, I'm not necessarily intending to block this proposal or to push the idea of just using DDNS for the stated problem. I simply didn't see a point of introducing a new protocol for it, but if I'm the only person who thinks so or who just can't see the advantage of the proposed approach, I'll shut up here rather than try to persuade the wg on it. -- JINMEI, Tatuya
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Bernie Volz (volz)
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… 神明達哉
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Sheng Jiang
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Sheng Jiang
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… 神明達哉
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Bernie Volz (volz)
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… 神明達哉
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Sheng Jiang
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… 神明達哉
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Bernie Volz (volz)
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… Sheng Jiang
- Re: [dhcwg] Could you launch WGLC for draft-ietf-… 神明達哉