Re: ZONE and VIEW options (Re: 49'th IETF DNSEXT agenda)

[Harald Alvestrand <Harald@Alvestrand.no>]

At 09:15 06/12/2000 -0800, Michael Sawyer wrote:
> >    Server A
> >       view INT primary for .company
> >       view EXT primary for .company
> >
> >    Server B
> >       view INT primary for .firm
> >       view EXT primary for .firm
> >
> >    Server C
> >       view EXT secondary for .company
> >       view EXT secondary for .firm
> >       view INT secondary for .club
> >
> > a client trying to check that the EXT view of .firm was consistent 
> would have
> > to configure himself with two different names for the same view.
>
>Actually, in that case, you wouldn't really need the VIEW option.  Server
>C, being a third-party server would be outside the network, would get the
>EXT views by default.

let's consider view EXT the view belonging to an extranet, rather than "the 
public view"; that makes it more interesting.

Apart from the name clash, the other interesting case is if the manager for 
B tries to look at his extranet's EXT view for .firm on C and gets returned 
the information for the EXT view for .company.
This shouldn't be a problem unless they have conflicting definitions of 
something (the root zone, for instance), but could get confusing.

Of course the paranoid among us see it as a security problem.....
if you want to make a hard problem harder, drop the word "security" in - I 
think you need an option to specify that views are visible on specific 
interfaces only, in order to satisfy the paranoid among us.
But you probably already have that, just not in this document.

Sigh.



--
Harald Tveit Alvestrand, alvestrand@cisco.com
+47 41 44 29 94
Personal email: Harald@Alvestrand.no



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.