[arin-ppml] ULA-C and reverse DNS
farmer at umn.edu
Mon Mar 22 13:09:21 EDT 2010
michael.dillon at bt.com wrote:
>> If ULA-Central is not going to include authoritative reverse
>> DNS, then I'm not sure the point of doing ULA-Central. One
>> of the biggest problem I have with RFC1918 is the brain
>> damage it causes in DNS, ULA-Random has this same brain
>> damage. I see no point in doing ULA-Central if it doesn't
>> include reverse DNS too.
> ULA addresses, both the C and RANDOM varieties, are intended
> to be used local to a specific network. That means that the
> network will have certain boundaries at which traffic using
> ULA addresses will be blocked. These could be site boundaries
> or private network boundaries) including a global VPN, or in the
> case of M/A companies, the collective boundary could be the
> union of two or more private networks with one or two ISPs
> included who have special arrangements to carry the ULA traffic.
> So, however vague the thing with boundaries might be, it does
> have boundaries and all queries for the ULA addresses will
> originate within those boundaries. I see no good reason for
> a service to be provided to this bounded network from the public
> Internet. Inside their boundaries, they can run their own
> reverse DNS servers, or some kind of DNS proxy which fakes
> NS records so that it looks like ARIN servers have delegated
> the reverse DNS for the ULA'C block. It all stays inside.
This very notion of split DNS that is the brain damage I was referring
too. DNS Views etc... are not very well implemented across the
Internet, the tools are there, but they are not properly implemented in
many cases. RFC 1918 forward and reverse are leaked all over the
Internet, especially in DNS.
Providing for authoritative DNS reverse with ULA-C doesn't prevent you
from doing split DNS if you wish to, you can simply not respond to
reverse queries coming from outside the boundary you are referring to.
However, assuming that you have to do split DNS in order to do DNS for
ULA-C is a bad idea.
You are making assumptions about the way people will use ULA-C, to the
extent possible we should avoid making to many assumptions.
I would probably implement split DNS, but even if I do, I might find it
useful for any lookups for my ULA-C reverse blocks to make there way to
my public authoritative DNS servers, so I can get an idea if there is
any leakage that I'm not expecting.
> Now there is no reason why a commercial provider on the Internet
> could not offer such reverse DNS services and deliver them by
> extending a VPN tunnel to the bounded network, but that is still
> not on the public Internet, as has always been intended.
I'm not sure I understand what you are getting at here. What would a
commercial provider do, register my DNS servers in the reverse tree?
> --Michael Dillon
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
David Farmer Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
More information about the ARIN-PPML