[dns-operations] Link-local IP addresses for a resolver?

Joe Abley jabley at hopcount.ca
Wed Sep 25 22:33:37 UTC 2019


On 25 Sep 2019, at 18:18, Warren Kumari <warren at kumari.net> wrote:

> Yes, the best practice and advice is to choose something random, but
> network engineers are humans too, and if you had to remember and try
> tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1
> or fd00:1::1 as the default gateway, which would you rather do?

You could choose something random then give the end-user a DNSSEC-signed DNS name instead of the address. So long as they are using a centralised resolver service with a long enough privacy policy, a different address family to do the resolution over and the operating system uses DoH by default, security is guaranteed and end-users gain the reliability of having large companies responsible for communicating their local network parameters instead of unreliable local technicians who are invariably up to no good. All we need is the universal deployment of IPv6, DNSSEC and DoH.


Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190925/8da1e9b4/attachment.sig>


More information about the dns-operations mailing list