[dns-operations] Link-local IP addresses for a resolver?

[Warren Kumari]

On Wed, Sep 25, 2019 at 6:33 PM Joe Abley <jabley at hopcount.ca> wrote:
>
> On 25 Sep 2019, at 18:18, Warren Kumari <warren at kumari.net> wrote:
>
> > Yes, the best practice and advice is to choose something random, but
> > network engineers are humans too, and if you had to remember and try
> > tell someone over the phone to use fd5a:8109:a679:180a:45d3:d653:22:1
> > or fd00:1::1 as the default gateway, which would you rather do?
>
> You could choose something random then give the end-user a DNSSEC-signed DNS name instead of the address.

That only works once they have a working network, which is why I used
the example of "default gateway" and not "browse to
fd5a:8109:a679:180a:45d3:d653:22:1". I've seen people encode the
building number / floor / VLAN / etc into the network address, when
you are configuring a router you almost always enter interface address
instead of using DNS, etc. Having a deterministic, and easy to
remember address is much much easier at 3AM, I'm less likely to typo
fd00:13:1 than  fde3:783e:127d: , etc.

I personally don't use ULAs / site local, but I fully understand why
those who do use easy addresses...

> So long as they are using a centralised resolver service with a long enough privacy policy, a different address family to do the resolution over and the operating system uses DoH by default, security is guaranteed and end-users gain the reliability of having large companies responsible for communicating their local network parameters instead of unreliable local technicians who are invariably up to no good. All we need is the universal deployment of IPv6, DNSSEC and DoH.

Yup, let me know once that's done and I'll buy you dinner :-P

Thanks,
W
>
>
> Joe



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf