In message <alpine.OSX.2.11.1612291855380.37956@xxxxxx>, "John R Levine" writes: > > It sounds like you want a homenet router. > > Possibly, but I'd rather have a v6 network where the addresses hold still. Well there are routers that do keep internal prefixes stable. It isn't that hard to say interface A has 0 in bits 49 to 64 and interface B is 1 in bits 49 to 64 etc. This works with almost any prefix length the ISP gives you by filling in the least significant bits. Then as long as you get the same prefix from the ISP all your addressing is stable even without ULA. With ULAs you can assign the /64's to each interface. This doesn't prevent PA prefixes co-existing with the ULAs. > > Mind you a lot of this would be a non-issue if hosts used the DNS > > to its full potential by updating their own addresses in the DNS > > using SIG(0) signed UPDATE messages when their addresses change. > > That would be swell except the DNS server's address changes, too. So what. The DNS server's addresses are in the DNS so UPDATEs still work. Normally a router will be a recursive DNS server so it can advertise its own addresses via DHCP and RA or it will learn recursive server addresses these ways and re-advertise them on its local links. There is NOTHING but inertia stopping the entire DNS being securely dynamically updated over the DNS. That includes updating DS, NS and glue addresses records in parent zones. The only thing that needs longer term stability are the root servers. Even they can change slowly. Nameserver can learn when they have new addresses and send out signed UPDATE messages to update glue records in parent zones. We can even redirect these update messages to specialised machines that just process the update messages. We even have a SRV prefix defined to allow a zone operator to do this. Apple (with DYN I believe) registered this about a decade ago now. They did that to allow CPE's routers to register their public addresses in the DNS when they were updated via DHCP. This works equally well for IPv4 or IPv6. It isn't that hard to figure out the addresses of DNS servers. We do that all the time to send out NOTIFY messages. There is no need for a slave server to have a hard coded list of addresses to transfer the zone from. It is just intertia at this stage. Adding this functionality to named has been on my todo list for years now. It's just not got to the top. It can use the last signed NOTIFY source address or lookup the master server's addresses in the the DNS by name. TSIG will prevent transfers false masters succeeding. Mark > R's, > John -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx