[Hipsec-rg] Forward Confirmed reverse DNS & HIP dns proxy

oleg.ponomarev at hiit.fi (Oleg Ponomarev) Fri, 24 April 2009 11:49 UTC

From: "oleg.ponomarev at hiit.fi"
Date: Fri, 24 Apr 2009 14:49:59 +0300
Subject: [Hipsec-rg] Forward Confirmed reverse DNS & HIP dns proxy
Message-ID: <alpine.LFD.2.00.0904241434470.5284@stargazer.pc.infrahip.net>


It is not implementation-specific, so I move the discussion to this 
mailing list? We stumbled across such a question: if a host has both HIP 
and non-HIP connections and uses a HIP DNS proxy for the legacy 

There is an incoming connection from 2001:708:140:220::2, it is resolved 
to hipl.infrahip.net, then hipl.infrahip.net has a HIP RR and gets 
resolved to 2001:19:c0ff:5d7e:d547:ec9b:37c3:44c6 (via DNS proxy) instead 
of 2001:708:140:220::2. The forward-confirmation is broken and there are 
warnings about possible attacks and so on.

Has this trouble been discussed before? Do you have any ideas?

One way would be to resolve:

2001:708:140:220::2 -> hipl.infrahip.net.NOHIP.
hipl.infrahip.net.NOHIP. -> 2001:708:140:220::2 
hipl.infrahip.net. -> 2001:19:c0ff:5d7e:d547:ec9b:37c3:44c6

There would be no warning about FCrDNS, but an ACL for hipl.infrahip.net. 
would not apply either.

Regards, Oleg.