tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: lpd with clients using "privacy" addresses



> I noticed that modern Windows machines couldn't lpr-print via our lpd
> anymore after upgrading it to dual-stack.

> The reason is that a) Windows (post-XP) has privacy addresses and
> interface id randomization enabled per default, and especially the
> former somehow don't make it easy (or actually, desirable) to have
> matching forward and backward resolved names in DNS.

> OTOH, lpd checks for matching reverse and forward resolved names
> *before* checking whether it needs to test for an explicit hostname.

> [...].  Comments?

Comments?

I would say lpd is the canary in the coalmine.  The right thing to do
is to fix your rDNS - to fix, work around, or stop using whatever is
breaking it.  Patching lpd is basically sticking your fingers in your
ears and going LA LA LA I CAN'T HEAR YOU when lpd is points out the
brokenness.

> +A machine using IPv6 privacy addresses (which, by definition, can't have
> +name resolution in both directions)

This actually is not true.

Privacy addresses are about tracking - or, more precisely, preventing
tracking - whether the node making a given transaction is the smae as
the node that made some past transaction.

DNS resolution has just about nothing to do with this.  If you think it
does, I suspect you are thinking of the DNS name as being tied to the
node rather than to the address; there's no reason a privacy address
couldn't have a forward name pointing to it and a reverse name pointing
back, and this breaks the privacy goal only if the name (or the
address) is somehow tied to the node in question.

But if a node uses ...:ecfe:8270:659b:9f01, which has the name
ecfe-8270-659b-9f01.privacy.example.com with full forward and reverse
DNS, this says nothing about whether it is the same node as the one
that used ...:e017:114f:8dad:edab with name
e017-114f-8dad-edab.privacy.example.com in the past.  It wouldn't even
be very hard to set up the DNS.  I could probably do it as a BIND
backend in an afternoon (hm, maybe two afternoons; it's been a while
since I mucked about with BIND backends); someone familiar with the
backend interface of other DNS servers could probably do likewise with
them.

Is it worth doing that?  Maybe.  Depends on the tradeoffs for the
environment in question.  Personally, I think that the degree of
paranoia that inheres in wanting to use privacy addresses of this sort
is inconsistent with a desire to communicate with general-purpose
peers.

I don't expect everyone to agree.  In fact, given past trends, I would
be surprised if more than a handful of people agreed.

But those are my comments.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index