[dnssd] Site deployment options

[RJ Atkinson <rja.lists@gmail.com>]

On 23  Jul 2014, at 21:43 , Tom Pusateri wrote:
> mDNS advertisements are link-local.

Agreed.

> Whether mDNS uses GUAs, ULAs, or link-local addresses is irrelevant.
> 
> I'll assume you meant the broader term DNS-SD. If so, then the scope
> of the address is a matter best left up to the particular use case.
> There are arguments for all of them and a mix of them depending on
> what you're trying to achieve.

Yes.  There are a range of use cases.  These use cases will vary
in multiple dimensions, not just in choice of IP addressing model.

For example, separate from the question of which types of IP addresses 
a particular operational domain uses internally, there will be 
variation in whether/how the ordinary (unicast) DNS is deployed.

Considering the DNS axis of variation, one can imagine reasonable 
deployments where the operational domain might fall into one of 
several very different use cases:
	A) has no deployment of (unicast) DNS
	B) has a single (unicast) DNS instance of example.com,
           where the internal view is identical to the external view
	C) has a split-horizon DNS deployment of example.com
	D) other reasonable use cases probably exist

Case (A) probably describes a large number of home networks
and a fair number of small enterprise networks (e.g. dentist's 
office).

Further, for case (B), a small site with its own domain name
(e.g. example.com) might not have any full-time IT staff and
might not have direct configuration control over the contents 
of its DNS.  It might, for example, have outsourced its DNS 
to a service-provider, which in turn provides a web portal and 
a (very) limited set of configuration options (e.g. ability 
to specify IP addresses for a very small number of pre-defined 
network services such as inbound mail-relay and public web server).

Case (C) probably is done most often at larger sites where 
full-time IT staff exist and the organisation's DNS instances
are directly managed by their IT staff.

Note well that any of these DNS deployment cases (A-D above)
might use any combination of private-scope IPv4 addresses, 
IPv6 ULAs, and global-scope IP addresses for their unicast 
IP addressing deployments.  As near as I can tell, addressing
options are orthogonal to the DNS deployment options.

> Bots operate inside private networks and can do as much damage
> with ULAs as with GUAs.

Yes.  This means that defense-in-depth usually is the best option,
where one has a firewall and also has other measures.  However,
general operational security concerns properly are topics for 
the IETF's OPsec WG.

Bottom-Line:
------------
DNS-SD needs to work well regardless of the unicast IP addressing
used and regardless of the (unicast) DNS deployment model used.

I believe this is entirely possible -- without changing the large
installed base of systems that support (mDNS + DNS-SD) today.

Yours,

Ran