[arin-ppml] Encouraging IPv6 Transition (was: Clarify /29 assignment identification requirement)

Mark Andrews marka at isc.org
Mon May 21 08:38:45 EDT 2012 

In message <6ABCC1C0-6DB6-403E-B8D8-78D688CF8F14 at delong.com>, Owen DeLong write
s:
> 
> On May 16, 2012, at 10:12 AM, William Herrin wrote:
> 
> > On 5/16/12, Owen DeLong <owen at delong.com> wrote:
> >> On May 16, 2012, at 8:11 AM, Michael Richardson wrote:
> >>> But, I didn't say it was risk of collision with ULA-R that was the
> >>> main problem, it is lack of reverse DNS and lack of whois that is the
> >>> problem.
> >> 
> >> Why do you need non-local RDNS and/or WHOIS for local-only addresses?
> > 
> > Hi Owen,
> > 
> > Configuring split-horizon DNS coordinated between multiple
> > interconnected organizations has always been a bit of an intractable
> > problem, especially when some parts are connected to some other parts
> > but not all parts are connected to all other parts. You could
> > sometimes get around it with an interior root but DNSSEC blows that
> > out of the water. An exterior NS record back to the interior
> > authoritative server could potentially help a lot.
> > 
> 
> Which makes the situation you describe more ideally suited to GUA with
> appropriate filtration of routes and packets.
> 
> Owen

ULA space is supposed to be within insecure delegation to break the
chain of trust, see RFC 6303.   Currently isn't which should be
corrected.

6.  IANA Considerations

   IANA has established a registry of zones that require this default
   behaviour.  The initial contents of this registry are defined in
   Section 4.  Implementors are encouraged to periodically check this
   registry and adjust their implementations to reflect changes therein.

   This registry can be amended through "IETF Review" as per [RFC5226].
   As part of this review process, it should be noted that once a zone
   is added it is effectively added permanently; once an address range
   starts being configured as a local zone in systems on the Internet,
   it will be impossible to reverse those changes.

   IANA should coordinate with the RIRs to ensure that, as DNS Security
   (DNSSEC) is deployed in the reverse tree, delegations for these zones
   are made in the manner described in Section 7.

7.  Security Considerations

   During the initial deployment phase, particularly where [RFC1918]
   addresses are in use, there may be some clients that unexpectedly
   receive a name error rather than a PTR record.  This may cause some
   service disruption until their recursive nameserver(s) have been
   re-configured.

   As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
   namespaces, the zones listed above will need to be delegated as
   insecure delegations, or be within insecure zones.  This will allow
   DNSSEC validation to succeed for queries in these spaces despite not
   being answered from the delegated servers.

   It is recommended that sites actively using these namespaces secure
   them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
   anchors.  This will protect the clients from accidental import of
   unsigned responses from the Internet.


Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the ARIN-PPML mailing list