Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Gert Doering <gert@space.net> Fri, 03 August 2007 20:57 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IH4DQ-00077k-PD; Fri, 03 Aug 2007 16:57:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IH4DP-00077M-Ho for ram@iab.org; Fri, 03 Aug 2007 16:57:43 -0400
Received: from moebius2.space.net ([195.30.1.100]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1IH4DO-0002H1-0I for ram@iab.org; Fri, 03 Aug 2007 16:57:43 -0400
Received: (qmail 55590 invoked by uid 1007); 3 Aug 2007 09:51:00 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=XEM1PKCC8GJhOsLVRBKLtRI8kJx3CO1t60AHmbJkmZP0VA+GApx8fSUyEiBZIsca ;
Date: Fri, 03 Aug 2007 11:51:00 +0200
From: Gert Doering <gert@space.net>
To: Robin Whittle <rw@firstpr.com.au>
Subject: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Message-ID: <20070803095100.GF69215@Space.Net>
References: <46B294D6.7070700@firstpr.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <46B294D6.7070700@firstpr.com.au>
User-Agent: Mutt/1.4.2.1i
X-NCC-RegID: de.space
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 8b30eb7682a596edff707698f4a80f7d
Cc: ram@iab.org
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
Hi, On Fri, Aug 03, 2007 at 12:37:10PM +1000, Robin Whittle wrote: > If a server as an SSL certificate, that is specific to its physical > IP address. No amount of automation can help with that, or the cost > and time-delay of getting another certificate. Doing so in the first place could be considered a mistake. The nice thing about *names* is that you can (and should!) tie the SSL certificate to the domain name that you want to secure, not to the IP address. [..] > As far as I know, this notion of IPv6 end-users supposedly being > happy with PA space and automated renumbering has been going on for > ten years or so. Hadn't anyone thought of all the config files > (named, httpd, imapd, firewall etc.), SSL certs, DNS delegation etc.? Most end user networks neither run name servers nor SSL certs, etc., in their network range - they delegate that task to their service providers. "all the config files" should contain host names, not IP addresses (that's what DNS has been invented for, half a century ago). Of course there are larger "end users" (corporate networks) that have local servers in their network - but even then, with proper planning in the setup phase (and that means "not putting IP addresses in places that should have server names"), renumbering is not painless, but also not impossible. It mostly boils down to firewall rules, and changing glue for a few name servers (again, the "proper planning" thing). Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 113403 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] Renumbering impossibility: TSL/SSL certs, D… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Thomas Narten
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Gert Doering
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Stig Venaas
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Olivier Bonaventure
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Gert Doering
- [RAM] "End-users" & things I think warrant more a… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… JFC Morfin
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Gert Doering
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Gert Doering
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Thomas Narten
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Gert Doering
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Roland Dobbins
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Jari Arkko