<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [ga] Alternative roots
> From: Dassa [mailto:dassa@dhs.org]
> Sent: Tuesday, April 24, 2001 4:53 AM
>
> |> -----Original Message-----
> |> On Behalf Of L Gallegos
> |> Sent: Tuesday, April 24, 2001 5:49 AM
> |>
> <SNIP
> |> No we don't! That's a collision in the DNS and will cause
> |> problems.
> |> The business issue and the DNS issue are two very
> |> different issues.
> |> While both are important, the collision factor is a huge "Don't."
> <SNIP>
>
> One thing we should keep in mind. If you accept these alternative
> names spaces as being a part of the legacy root, then there may be
> collisions. I consider them private name spaces and as such, they are
> not going to cause collisions, they should not be using Internet
> routable addressing to reach the hostnames within. Much the same as
> any business which runs its own DNS and has their own private name
> space. They are not a part of the legacy root and as such, they are
> private name spaces.
A few things render this premise faulty;
1) Under COM, a domain is delegated name space, not private.
2) They don't cause collisions because they are delegated and no one
else is allowed to declare names therein.
3) A business under COM is indeed under the legacy root. Firewalls not
withstanding.
> These private name spaces may grow enough to overshadow the legacy
> Internet name space but at present they are a totally separate entity
> and do not belong within the legacy name space. By providing Internet
> routable addressing within those private name spaces they are actually
> going against the accepted RFC's that govern the legacy name space.
>
> I run a few private name spaces myself, I do follow the rules however
> and they are not routable on the Internet. However, it would not be
> difficult for me to do so. Many others can also. Once you allow some
> private name spaces into the Internet name space you will be opening
> the flood gates for any private name space to make claim. Some of the
> non-Internet routable name spaces have been around for years also.
Even if you don't allow access from the rest of the Internet, a conflicting
delegation can still effect your internal operations. For example, I have
the real case where I run the VPN TLD. Were someone ELSE to get a VPN
delegation in the legacy root, I could never access those hosts because it
would conflict with my own VPN zone. This particular collision scenario is
called "masking". In some security environments, this may be done
intentionally, controlling access to external systems. There are various
sub-scenarios where the external VPN may actually prevent your access to
your own VPN systems or even let one of those external systems masquerade as
one of your own (violating your security).
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|