[Hipsec-rg] reverse DNS lookups of HITs (was RE: meeting minutes posted)

[thomas.r.henderson at boeing.com (Henderson, Thomas R)]

(changing the subject line)

> -----Original Message-----
> From: Oleg Ponomarev [mailto:oleg.ponomarev at hiit.fi] 
> Sent: Monday, January 12, 2009 11:38 AM
> To: Henderson, Thomas R
> Cc: hipsec-rg at listserv.cybertrust.com
> Subject: RE: [Hipsec-rg] meeting minutes posted
> 
> Greetings! On Mon, 12 Jan 2009, Henderson, Thomas R wrote:
> 
> >> For example, only 2001:1e:574e:2505:264a:b360:d8cc:1d75 is 
> allowed to 
> >> modify 
> 5.7.d.1.c.c.8.d.0.6.3.b.a.4.6.2.5.0.5.2.e.4.7.5.e.1.0.0.1.0.0. 
> >> 2.IP6.ARPA PTRs
> >
> > Functionally, I see how that can work, but operationally, 
> do you propose 
> > that the five root servers of ip6.arpa implement and 
> maintain this? Or, 
> > presuming that there is a HIP-specific allocation in the 
> future, that 
> > there is a global root nameserver or set of nameservers for 
> this HIT 
> > space?
> 
> The latter, i.e. get delegation for 1.0.0.1.0.0.2.IP6.ARPA 
> (or whatever):
> 1.0.0.1.0.0.2.IP6.ARPA. 172800	IN	NS	
> A.OUR-SERVERS.NET.
> 1.0.0.1.0.0.2.IP6.ARPA. 172800	IN	NS	
> B.OUR-SERVERS.NET.
> 1.0.0.1.0.0.2.IP6.ARPA. 172800	IN	NS	
> C.OUR-SERVERS.NET.
> 
> The ip6.arpa nameservers already get those queries when there is HIP 
> connection, they just reply with NXDOMAIN.

Yes, but how do you delegate below that top level? 

If I am a HIP user, and I generate a key for myself, how do I register
it with A.OUR-SERVERS.NET.?  Do they have an open policy and let just
anyone in the Internet add a record for themselves?

I see how one could technically build such a name server, but I'm
wondering about the scalability of it and how it would operationally be
deployed.

> 
> Why do we need reverse mapping for HITs in general? I would 
> prefer to see 
> symbolic domain in logs instead of hex addresses, or put 
> *.my-org.com to 
> some access list instead of comma-separated list of HITs and so on.
> 

Yes, that would clearly be a nice feature.

Tom