IETF Logo Mail Archive

Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.

Gert Doering <gert@space.net> Fri, 03 August 2007 20:57 UTC

Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IH4DQ-00077k-PD; Fri, 03 Aug 2007 16:57:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IH4DP-00077M-Ho for ram@iab.org; Fri, 03 Aug 2007 16:57:43 -0400
Received: from moebius2.space.net ([195.30.1.100]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1IH4DO-0002H1-0I for ram@iab.org; Fri, 03 Aug 2007 16:57:43 -0400
Received: (qmail 55590 invoked by uid 1007); 3 Aug 2007 09:51:00 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=XEM1PKCC8GJhOsLVRBKLtRI8kJx3CO1t60AHmbJkmZP0VA+GApx8fSUyEiBZIsca ;
Date: Fri, 03 Aug 2007 11:51:00 +0200
From: Gert Doering <gert@space.net>
To: Robin Whittle <rw@firstpr.com.au>
Subject: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Message-ID: <20070803095100.GF69215@Space.Net>
References: <46B294D6.7070700@firstpr.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <46B294D6.7070700@firstpr.com.au>
User-Agent: Mutt/1.4.2.1i
X-NCC-RegID: de.space
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc: ram@iab.org
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org

Hi,

On Fri, Aug 03, 2007 at 12:37:10PM +1000, Robin Whittle wrote:
> If a server as an SSL certificate, that is specific to its physical
> IP address.  No amount of automation can help with that, or the cost
> and time-delay of getting another certificate.

Doing so in the first place could be considered a mistake.  The nice thing
about *names* is that you can (and should!) tie the SSL certificate to the 
domain name that you want to secure, not to the IP address.

[..]
> As far as I know, this notion of IPv6 end-users supposedly being
> happy with PA space and automated renumbering has been going on for
> ten years or so.  Hadn't anyone thought of all the config files
> (named, httpd, imapd, firewall etc.), SSL certs, DNS delegation etc.?

Most end user networks neither run name servers nor SSL certs, etc., in
their network range - they delegate that task to their service providers.

"all the config files" should contain host names, not IP addresses
(that's what DNS has been invented for, half a century ago).

Of course there are larger "end users" (corporate networks) that have
local servers in their network - but even then, with proper planning
in the setup phase (and that means "not putting IP addresses in places
that should have server names"), renumbering is not painless, but also
not impossible.  It mostly boils down to firewall rules, and changing
glue for a few name servers (again, the "proper planning" thing).

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

_______________________________________________
RAM mailing list
RAM@iab.org
https://www1.ietf.org/mailman/listinfo/ram

v2.23.0 | Report a Bug | By Email