Bind, Safer DNS, and IPv6 89
resistant writes: "This article at Network World Fusion (seen at Linux Today) says, "In addition to DNSSEC, BIND 9 features support for IPv6, the ability to run on multiprocessor systems and improved scalability for handling large domain name zones." The urgent need (by Nike anyway, heh-heh) to forestall easy domain hijacking could be the sleeper issue that finally ushers in universal implementation of IPv6."
Re:IPv6 why? (Score:1)
NetSOL Domain Name Update (Score:3)
I must be a moron. I can't get NetSol to change my contact information, delete a domain, or change the technical contact info on a domain.
I've had to do updates [networksolutions.com] at "NetSOL" several times, and these people are scary. I swear they purposely make their site and procedures nearly impossible to decipher. For what it's worth, I stopped having excessive trouble with their automated email-verification scripts (this was a while ago) after realizing (after much hair-tearing) that it is extremely important to be sure that the lines are not wrapped by your email client, in the "template" forms that you email back to them. Also, there must be a space between the colon at the end of each record-descriptor, and the content following on that line (if any). Or, is it must not be a space? Geez, emulate whatever is on the other lines, you know?
It's been a while and this may be obsolete, or slightly mangled in exact detail. I've never had to resort to the infamous fax procedure [networksolutions.com], and can offer no useful advice on that except to keep on hand a bottle of Aleve, or "other" measures to relieve pain and suffering.
I've since snuck out the back way to a more friendly [jhcloos.com] (OpenSRS [opensrs.org] reseller [opensrs.org]) registrar with password protection and decent security, not to mention immeasurably more useable automated scripts for Web-access account management.
Re:Scarcity will be the impetus (Score:1)
$x) dynamic, non-routable NAT'd addresses
$x) static, non-routable NAT'd addresses
$xx) dynamic, routable addresses
$xx) single static routable address
$xxx) CIDR-block from provider
$2500 and up) ARIN-assigned
$10,000 to $20,000) ARIN-assigned
Provider-sourced CIDRs are often "free" with high-speed dedicated service like DS1/DS3 but they'll nail you if you want more space. Where I work we have some
Home users? I pay a premium for DSL static IP. I'm not sure if they even sell it to modem users anymore.
Re:IPv6 why? (Score:4)
Re:IPv6 why? [a cynic's view] (Score:3)
Which could be one of the things holding v6 deployment back... If end-to-end IPSEC hasn't been deployed in IPv4, simply "mandating" it in IPv6 doesn't make it easier to do. It just ensures that any IPv6 host might accept IPSEC packets from you--- about what you can assume today. (The mere presence of IPSEC capability on a host says nothing about your ability to use IPSEC to communicate with them.)
Mandatory Quality of Service
Lots of IPv6 marketing claims "improved QoS". Most of these claims seem to be based on the presence of a "flow identifier" field in the IPv6 header. A flow identifier alone doesn't do any good without some system to identify meaning to it. Again, QoS doesn't become easier to implement and deploy just because IPv6 requires it. Just because the feature's there doesn't mean the router does anything meaningful with it. (I would welcome any correction--- perhaps I just haven't seen the relevant specification?)
Guaranteed mobile IP addressing
Sure, IPv6 mobility is a better design than current IPv4 mobility. (Now, I happen to think that mobility needs to be handled above the IP layer, but that's an argument for another time...) But there's nothing "guaranteed" about it. In fact, IPv6 mobility depends on having a "AAA" structure, the design of which is still being worked out. Even with the architecture there, "guaranteed" is too strong a word--- only a network's willingness to provide the service gives you the ability to use it.
Automatic Network Configuration
"for Hierarchies?" I don't understand that. Many people view autoconfiguration of devices as a useful thing. But there's no direct support for ad-hoc networking, which is what I tend to think of as "automatica network configuration".
Simpler Headers == Quicker Routing
Software implementation == magnitudes slower routing. So you see a big disadvantage to going to "native" IPv6 until people start creating forwarding hardware for it. Which is expensive, since now you have to have a 128-bit data path (or 256-bit, if you route on source and destination--- as you do for multicast) rather than a 32-bit or 64-bit data path. Perhaps you're referring to the simpler option design? I admit it's worlds better. But in the real world, most packets don't come with options (and those that do get punted up to software), so the real cost is routing lookups. IPv6 claims to make routing tables smaller (using the strict addressing hierarchy)--- we'll see--- but even if they stay the same size, the prefix match gets longer--- which requires either more memory accesses or bigger ternary CAMS. No guarantee of quicker routing in any way.
Mandatory Anycasting
I don't like anycast. It's generally not responsive to higher-level failure, but since it's at the network level, you might be stuck with an unresponsive server for a while. Multicast is a better design decision in the local area.
Mandatory Multicasting
We've had (multi-source) multicast for longer than the Web. It hasn't really been deployed worldwide for a variety of reasons. (Hard to route, hard to bill, hard to debug...) Making it "mandatory" only increases wariness about deploying IPv6. Also, single-source multicast (SSM) looks like it may actually go somewhere, has no address shortage, and is much easier to route and debug. But you don't need to go to v6 to use it.
Mandatory Connection Fail-over Support
I must plead ignorance to this one, too. However, IPv6 can make multihoming your network a much more difficult problem, since you receive different address ranges for your machines from each of your ISPs. Yet, the entire IPv6 address is the endpoint identifier. So, esentially, your choice of address locks you into a particular ISP. Various tunnelling designs have been suggested to improve this, but they increase the complexity of the network. (To be fair, it's not too much worse than multihoming in IPv4--- unless, like Stanford, you already have an AS number for BGP and are not likely to get a TLA in IPv6. Why upgrade?)
IDRP Routing Protocol
Again, I must plead ignorance. But why can't this routing protocol (if it's a good idea) be done with v4?
Re:How does DNSSEC help IPv6? (Score:1)
A good short introduction to DNSSEC [pgp.com],it is little bit out off date as the DNSSEC standards have changed.
Re:But how? (Score:1)
Re:But how? (Score:1)
Think of it this way. IP normally allows you to make certain assumptions, like "one IP, one network interface". That is of course not true in the presence of NAT.
NAT's a cute hack for a thorny problem, but it really plays havoc with the topology of the IP address space, and in the long run I think it's a lousy idea.
And its firewalling is a side effect. People should firewall because they understand the need for firewalls, not because they get it for free when they segment the IP address space.
--
Re:How does DNSSEC help IPv6? (Score:1)
This happens whether or not the Solaris host has any IPv6 interfaces, and regardless of the settings in nsswitch.conf for the ipnodes namespace.
Re:How does DNSSEC help IPv6? (Score:3)
Excellent point, thank you for making it. The deployment of an IPv6-aware DNS server is just one small step. It doesn't address the larger issues involved in deploying IPv6. And I'm somewhat annoyed at CmdrTaco for implying that it does. If all people want is DNSSEC, then that's all they're going to install and configure--- the fact that the software can handle IPv6 is going to be of very limited interest to them.
Or possibly even a source of annoyance if their software starts sending out v6 address requests before looking for the v4 address. I know somebody who has gotten burned by this--- he upgraded his system to support IPv6. The name lookup tries AAAA first, then A. Well, Stanford's load-balancing DNS server returns the wrong thing to the first request ("name not present", basically, rather than "that name exists but we don't have any v6 addresses"), so the nameserver caches the negative answer and returns it in response to the 'A' query as well. Oops, suddenly he can't log into the computer cluster using the normal domain name. It's true that this is a bug with the load-balancing software, not IPv6. It's just yet another hurdle to overcome.
Look who owns NSI (Score:1)
Re:DNSSEC (Score:1)
Yes.
Have the registrars announced any kind of plan or timeline for implementing it?
No.
So its use is restricted to your private LAN, where you are your own certificate authority.
Re:Ah, I see. (Score:1)
Re: (Score:1)
I don't see IPv6 in a near future (Score:1)
Re:Domain Hijacking.... (Score:1)
Tried it? I rely on it when all else fails and I can't get a customer's domain information changed any other way!
Re:No firewall ? Think of it as evolution in actio (Score:1)
Costs us a bundle. I am the one who (among other things) answers the abuse@ email box for my company, and ZoneAlarm generates an awful lot of false alarms, and my salary is not exactly entry-level. I should charge them for my time.
Re:What about MS win2k DNS servers? (Score:1)
You're right, currently, a bind 9 server cannot handle DDNS from an MS client. We hope to have that working at some point in the future. Another possibility (which doesn't always work, of course), is to let the DHCP server send updates for clients, which means that only the DHCP server needs to authenticate to the server. I know this doesn't work in all cases, but I'd also never advocate using an MS client
Re:IPv6 why? (Score:1)
> T. Lee
The creator of the web?
Re:Scarcity will be the impetus (Score:2)
Because they don't actually understand what they are doing.
It makes some sense with a dialup in that IP addresses can be assigned to phone lines, routing is simpler and the ISP only needs as many IPs as they have phone lines, not as many as they have customers.
With a cable modem or ADSL setup the ISP needs as many IPs as they have customers, also changing the IP can complicate things such as routing.
The only reason that I can think of is that it makes it tougher to operate your own server, which a lot of services don't like to have you doing.
Except that there are some trivial ways for the customer to run several kinds of server on a dynamic IP. Also the ISP needs to keep records of who had which IP when, for handling abuse. As well as still having the risk of, one idiot getting the whole ISP barred from from service or other.
Re:IPv6 why? (Score:2)
Except that a fair portion of these are special purpose or otherwise unusable. Also they can only be assigned as a 2^x block (where 2 are special purpose). So eeven if you could assign IPv4 addresses with minimal wastage the actual figure is rather less that 4 billion
Re:No firewall ? Think of it as evolution in actio (Score:1)
At work, I use IPChains. . . .
Re:IPv6 why? (Score:2)
Re:IPv6 why? (Score:1)
yeah, but most companies are gonna want their own IP, same as schools, libraries, governments, organizations
Re: (Score:1)
Re:IPv6 and the IETF (Score:1)
No firewall ? Think of it as evolution in action (Score:1)
Forget IPv6 (Score:1)
jred
www.cautioninc.com [cautioninc.com]
caution, inc.
Yay! an inevitable Internet overhaul! (Score:1)
To answer this technical difficulty, people have the option of using IPv4 tunneling over IPv6, or IPv6 tunneling over IPv4.
IPv6 over IPv4 allows for IPv6 machines to engage in IPv6 networks on non IPv6 ISPs, and IPv4 over IPv6 could be used to link legacy machines over IPNG networks.
Furthermore, nothing says a person cannot use a dual stack system - this would be very similar to running IPX or NetBEUI (Wah!) on a machine that runs IPv4 - I could be 3ffe:b00:c18:1fff:0:0:0:287 and still have 205.179.127.117.
One other thing about IPv6: It does not use subnet masks. Like the good old days of the net, the route to any host can be identified by the IP of the machine in question.
From Cross Nodes [earthweb.com] Obviously, using this scheme we will probably waste a lot of IP addresses, but there should be more than enough networks to relieve our IPv4 induced shortages.
One other item of interest is that your SLA entry should now be based on your hardware ethernet address. This may make large networks easier to manage without DHCP.
If you are interested in IPv6, I highly recommend you read the full article, linked from here [earthweb.com]. (The next version of the Internet protocol -- IPv6)
As for my opinion of this: the sooner the better. I'm loving the security measures Ipv6 will implement. Finally I'll be able to deal with 31337 k1dd13z who thinks ICMP floods are fun.
What about MS win2k DNS servers? (Score:2)
So how can the net itself adopt this when it isn't supported by Microsoft? It's going to be a non-issue like Microsoft not yet supporting ipv6 so therefore it's not going anywhere...
This isn't a troll, it's just the real world. Microsoft effectively is controling it all and me jumping up and down screaming that "it ain't right" or "it's not standard" isn't going to help. If, for example, I'm forced to support Active Directory down the line, I'm also going to be forced to migrate DNS to Win2k DNS servers because the authentication used by MS clients for DDNS updates is incompatible with DNSSEC and it's either go with a Microsoft solution or losen security on my DNS servers and then anyone can spoof an update into my DNS server and make dynamic updates. :(
Re:But how? (Score:1)
1) have two seperate IP protocol stacks - read the version and send the packet to the correct stack to handle.
2) encapsulate IPv6 into an IPv4 header (like multicast is done now) when it reaches a router that knows the next hop doesn't understand IPv6
The second option requires a change in routing protocols or administrator interference with static routes. (ie you have IPv6 in your site, at your border router, you'll have to encapsulate all outgoing packets into IPv4.
Re:Scarcity will be the impetus (Score:1)
My cable modem IP is supposedly 'dynamic' but the DHCP lease has never renewed to a different number. I wonder if you called their bluff and said, "yeah, convert me to dynamic" whether you'd ever get a different one, really? At any rate, my brother has a dynamically-assigned cable modem IP thru another company, and his does indeed change. For various reasons, he doesn't want that behavior and has discovered that if he keeps a socket connection going at all times, the IP won't be changed on him. He's programmed a little script to make sure he's always got a socket active. Maybe something like that would work for you.
This discussion brings to mind the question: why would an always-on connection want to alter the IP on you anyway? They've got to assign something, so what good is it doing them? The only reason that I can think of is that it makes it tougher to operate your own server, which a lot of services don't like to have you doing.
Re:Scarcity will be the impetus (Score:1)
You actually *wouldn't* want an always on connection to change. My guess is that places that force a re-negotatiation of the IP lease on a regular basis do so just to prevent servers -- which is another factor in the cost structure. If you want an always-on-we-don't-care-what-servers-you-run service, there's often a premium to be paid for that as well (in addition to the static IP charges...).
Re:IPv6 why? (Score:1)
I believe, another protocol developed at the same time as IPv4 had a similar version field to that of IPv4, but the value was 5 instead of 4. So to avoid confusion with this rarely used protocol, they skipped to v6.
Numbers, lies, and talking out of your ass.. (Score:1)
One thing I want you to get absolutely sure is that IPv6 is fully backward compatible with v4 AND you can switch an individual host or router from v4 to v6 without cutting out any of your v4 customers. From the first link:
Ease of transition is a key point in the design of IPng. It is not something [that] was added in at the end. IPng is designed to interoperate with IPv4. Specific mechanisms (embedded IPv4 addresses, pseudo-checksum rules, etc.) were built into IPng to support transition and compatibility with IPv4. It was designed to permit a gradual and piecemeal deployment with a minimum of dependencies.
BTW, another poster made a comment about how 'IPv6 is dead till it ships in a microsoft stack. When it does, IPv6 will be real instantly.' What kind of idiocy!?! Did IPv4 just suddenly become important because Microsoft added it to Win95?!? And besides, with something as important as the IP, no one company (or two, even MS + Cisco have their limits) can dictate what and how it will be. Why don't you go and write some applications that use IPv6 in a way that people want and can't be done in IPv4. Then, and only then, does it become real.
--------
Re:But how? (Score:1)
I've spent some time working in kernel space (doing device drivers for proprietary hardware) and someone out there has come up with the idea that a process should be able to handle more than 32 signals (ie the number of signals that fit conveniently into a 32 bit long). Solution? Make the sig_set field bigger, and present some clever functions to set, clear and tests individual signals, as well as sets of them. As long as everyone use these functions instead of accessing the data structures directly, it doesn't really matter how wide the sig_set field is.
As of now, most of these functions are inlined (probably for speed reasons), but if they are not, it means that even if the physical layout of the structure in memory was to change , programs using the functions would keep on working.
It's called "defining an interface", and it's a Good Thing (tm) - most of all when there is some reason to change the internals of something, without needing to change the way it works from the outside.
Still, your concern was what will happen in the transition period, before all systems on the 'Net has switched to the new standard. Probably, the "compatibility" will be backwards-only, and most servers will keep an v4 address just so machines running old software can still access them. However, cleanly written software (using the functions present) will see no real difference at all - they use a different domain for their sockets, but they'll use the same structure (I believe struct host_addr is typedef'd as struct host_addr_ip4 or something similar - the glibc guys will just change that to struct host_addr_ip6).
OK, this is tonnes more than I'm used to write, so I've probably not really said everything I planned to say, but I hope you'll see that (assuming smart programmers) it's not gonna be a big change to update the protocols.
Re:But how? (Score:1)
Dan Berstein (Qmail) was the one who suggested the scan. Link here [cotse.com]
Nonetheless, IPv6 is still a good idea because NAT breaks too many things. But we're nowhere near as desperate as they make it out to be.
Re:IPv6 why? (Score:1)
Re:IPv6 why? (Score:1)
The problem with NAT* is that it doesn't work well for any protocol that includes the IP in the data. Protocols like ICQ, IRC, et al, while buggered because they do this, cause a world of pain with NAT. IP Masq gets around this with special modules that recognize the packets and modify the data as well but that's a hack.
Other protocols, like non-passive FTP, require stateful NAT machines or more kludgy hacks. "Ok now, which internal IP just connected to anime.pr0n.net?" Incoming connections don't work at all unless you reserve the port on the NAT box and forward it off. Even then no two internal IPs can use the same port. Again, things like Apache and proftpd have ways around this but again, they're hacks on top of a system that happen to work for that particular system.
NAT isn't an end-all, be-all solution. It works amazingly well for some things, but not for others.
* - I'm leaving out many-to-many NAT here because that would require the NAT machine to listen on just as many IPs as having the machines behind the NAT on the network in the first place.
Re:Are we really running out of IPv4 addresses? (Score:1)
And yes, we already ran out of IP addresses, which is why 10.x.x.x packets hit my firewall from the Internet at large constantly. Portable address blocks are no longer available to small businesses, you have to be an ISP's slave.
--Charlie
Domain Hijacking.... (Score:2)
Has anyone tried this?
Comment removed (Score:4)
Too many links (Score:1)
Some interesting links (Score:3)
The following links are some that i've come across. They are rather interesting at times:
A how-to [securiteam.com] for stealing someone's domain name, which was a ddresed in the article [nwfusion.com]. Furthermore, the specs for these protocols [ipv6.org] and implementations can be found here [isc.org] and here [isc.org]. There was also a critical interview calling for the implementation of these more secure systems in order to prevent the holes in the current system.. [internetnews.com]
Oh no! (Score:1)
DNSSEC (Score:2)
IPv6 why? (Score:1)
As far as i can see, IPv6 doesn't have any benefits over IPv4. The only benefit i can see is that service providers will need to update their equiptment to deal with IPv6, and help line the pockets of Cisco et. al.
I'm left wondering if i have missed something here? Whats so great about IPv6, if we've done without it so far? Or is IPv6 just an incrental upgrade to IPv4 (What happened to IPv5 anyway?)
T. Lee
Re:IPv6 why? (Score:2)
Ugh, an inevitable Internet overhaul. (Score:3)
The only way that IPv6 will be implemented is if all the OSes get their TCP/IP drivers updated (unless this thing is backwards compatible, which doesn't seem to be the case implied by the drastic changes). The current IP standard has a possibility of letting you access a little over 4 billion IP addresses. Since there's 6 billion people on the Earth, and the initiative has been set to give every person at least some kind of access to the 'net, this does need to be updated. But what does this mean? Will subnet masks now resemble 511.511.511.0? Or something similar?
Hopefully, this will be implemented seamlessly, with just a simple driver update. However, I personally think that Nike deserved getting its back orifice reamed; after all, they're the company that has a starting salary of $0.08 an hour.
If hijacking domains are easy... (Score:2)
Re:But how? (Score:1)
Re:But how? (Score:1)
OK, to sum it up: When programs are converted to use IPv6, they just leave the old code in for compatibility. One cmdline param or one checkbox - that's the "awkward if not impossible" transparency. (OK, you'll need proxys between the two nets
Domain Hijacking (Score:1)
Re:If hijacking domains are easy... (Score:1)
Perhaps competition is actually working?
Re:IPv6 and the IETF (Score:2)
Come to think of it, it'd be nice, if the OS did support IPV6, and somehow we could write our applications now for longer ip addresses, and have them run either way. Even on Linux, switching to IPV6 requires recompiling or recoding all your net applications. (Last I looked.)
Re:But how? (Score:2)
The required equipment (a Cisco 675 DSL router) cost $50 when I signed up with the former U S West, plus the $75 setup fee. However, thanks to the suggestion of my ISP, I was able to get an Intel 10/100 NIC for free by saying that I didn't have one, and I got a $100 rebate a few months later. $25 for a DSL router with firewalling and a $40 NIC is a GOOD deal.
My net cost per month is ~$65 -- $30 to Qwest, and the amortized cost of ISP service is something like $35 after a subscription discount. Sure, it might be a little spendy, but with the quality of service I get, I most definitely would say that I am FAR from being sodomized.
Oh, but it's sooo tempting to get a hookup from these guys [onvoy.com]. It's only one static IP, but ooohhh... 1.5Mbit for $90/mo. doesn't seem too outrageous, and their backbone is every bit as good as the one I use right now [visi.com].
Excuse me, I need to go clean myself off...
end comment */
Re:Ugh, an inevitable Internet overhaul. (Score:1)
Re:Nike's not the only one (Score:2)
How does DNSSEC help IPv6? (Score:2)
Don't get me wrong - I want to see IPv6 deployed, and run an IPv6-enabled domain (running FreeBSD), but whilst having a IPv6 enabled DNS server is a necessity, DNSSEC isn't going to affect IPv6, either for or against.
If you want IPv6, you need to hope Microsoft don't delay Whistler again - that will make the biggest difference to getting ISPs to start thinking about deployment.
Re:IPv6 why? (Score:1)
Re: (Score:2)
Re:Domain Hijacking.... (Score:1)
NSI came around, after a week of faxes, emails and threatening phone calls from me and my lawyer.
the FBI wouldn't help because i couldn't honestly say i'd lost more than $5000 in the time my domain was out of my control.
-c
Re: (Score:1)
Re:What about MS win2k DNS servers? (Score:1)
DNSSEC authentication is fully dependent on clients. Servers can give out digital signatures, but clients must be configured to authenticate them for them to be useful. So, if MS doesn't implement DNSSEC, that means that MS clients wouldn't notice spoofing, but others might.
Re:IPv6 why? (Score:1)
Re:What about MS win2k DNS servers? (Score:2)
Anyway, what I meant by spoofing was in the sense that if I ran bind 9 and wanted to allow MS clients to use DDNS, I couldn't use MSes security procedure so I'd have to rely on authentication by IP address range only, which someone could spoof and cause wrongful updates to my DNS server... not a pretty thing to think about...
Re:If hijacking domains are easy... (Score:1)
There are two more common problems in addition to the ones mention:
Note that the password is insecure as well since it's sent in the clear when used, twice in the clear if you let it generate the template and mail it to you. Also the encryption algorithm leaves quite a bit to be desired, but that's off topic.
Re:IPv6 why? (Score:1)
Re:DNSSEC and certificate authorities (Score:1)
Don't worry. The responsibility belongs to the current Network Solutions, er, I mean VeriSign Global Registry. That's why DNSSEC is about as useful as tits on a boar hog. Exactly nothing has been done to set up the PKI required to make DNSSEC useful, and it looks like exactly the same will be done for the forseeable future.
My guess is that ordinary DNS and IPv4 will be still operating the vast majority of the Internet for the next ten years, at the very least.
Re:IPv6 why? (Score:3)
(i'm going to use cut&paste from a calculator now
IPv4 has a 32-bit address-range (duh!) which means there are 4,294,967,296 different addresses. Give everyone on earth a unique address, and there won't be enough of them already! If everyone were to connect their coffee makers, tv-sets and such; well, you see my point.
IPv6, on the other hand, has a 128-bit (!) address-range instead. This'll give us 3,4028236692093846346337460743177e+38 addresses. This leaves enough room for everybody, including their home/work-appliances, for at least the next 10 years.
THAT's the *real* difference.
Scarcity will be the impetus (Score:2)
DNSSEC and certificate authorities (Score:2)
Will we have to pay another few hundred bucks to Verisign and the like for EVERY DNS server? Or is there going to be a cheap or publicly run system for certifying DNSSEC keys?
I don't want to put a new system into place that creates the next Network Solutions.
Nike's not the only one (Score:1)
Re:DNSSEC and certificate authorities (Score:2)
Hijacking Web Pages (Score:1)
Re:IPv6 and the IETF (Score:3)
Sun, who provides a dual stack (IPv4 and IPv6) in Solaris 8 has a "scrubber" utility that will help go through your code and remove IPv4 only funtions and such.
Applications written to use the "newer" networking code work fine in IPv4 and IPv6 - like BIND9.
Are we really running out of IPv4 addresses? (Score:1)
So are we really running out? I mean, we won't have enough IPv4 for every person in China to have their own static IP I'm thinking, but that's also a non-issue, due to their Great Firewall. Heck, they could IPMasq the whole country! (probably do anyway).
This sounds more and more like a "global warming" scare, or the "global cooling" scare from the 70s.
Club of Rome, anyone?
Re:But how? (Score:2)
Bah, that's what NAT is for.
I'm kinda scared. When people don't need NAT anymore, many of them won't bother with firewalls...
---
It does not answer my question.... (Score:1)
Clearly have the signature has to be registered on the root servers and half on the child. How is the root one populated? Surely it will be populated the same way the registry for
All it seems to do is to add some delay into the process, ie it takes longer to get verisol to build you a signature, anyone can spoof a company letter head! It might protect IBM or Nike, but not the little guys, cos no one knows much about them letter head wise, company offices et al.
I hear you say it! But it will buy us time, well I had my domain jacked it took netsol 1.5 months and lots of phone calls, to return it to my possession, so it may by time, but netsol will squander it! My domain redirected to a nice p0rn site for a few days, (the guy wanted access to things for its quick return).
PS it was jacked that way, cos I was stupid enough to have other people register it for me, I hold my own keys now, that is lession one, may sure you have the keys to your domain not some domain name business!!!! (Plus if they go bust they might take your domain with them!)
James
DNSSEC & BIND, I see problems already... (Score:1)
Re:IPv6 why? (Score:1)
What happened to IPv5 anyway?
IPv1, IPv2, IPv3 were all destroyed during construction. IPv5 mysteriously disappeared 24 hours after being published.
Re:But how? (Score:1)
If the protocol itself isn't backwards-compatible I see no reason why it can't just be wrapped or translated. This is probably moot anyway though, since I'd expect most sites to just run both protocols during transition.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
The ability to run on multiprocessor systems? (Score:2)
Uh, no. You've been able to run BIND on multiprocessor systems since the dawn of time. It just wasn't multithreaded before.
Re:That's why I asked. (Score:1)
Re:IPv6 why? (Score:1)
How about
IPv6 and the IETF (Score:5)
Q: Is microsoft going to support it in a release OS?
A: No, but microsoft research has a stack in development
Q: Does Cisco support it?
A: We're working on it.
Then half the room walks out the door, and all that's left is the Kame project talking about how they can tunnel their ipv6 site through ipv4 to see the dancing turtle.
IPv6 is dead till it ships in a microsoft stack. When it does, IPv6 will be real instantly.
And you can quote me on that.
Re:DNSSEC and certificate authorities (Score:1)
So i guess the "parent" is authority. And ultimately, the root servers are.
Re:Ah, I see. (Score:1)
Re:Domain Hijacking.... (Score:1)
The system we have in place requires domain contacts to log in over an SSL connection to make changes to their domains, which is much safer than the email system NSI uses.