[ipv6hackers] dynamic global hostname

Douglas Otis dotis at mail-abuse.org
Tue Oct 11 20:59:52 CEST 2011

On 10/7/11 1:26 PM, Iljitsch van Beijnum wrote:
> This is pretty cool: on my Mac running 10.7 if I set a dynamic global hostname in the sharing settings, I get:
> dulcinea:~ iljitsch$ host dulcinea.bonjour.muada.nl
> dulcinea.bonjour.muada.nl has address
> dulcinea.bonjour.muada.nl has IPv6 address 2001:720:410:100f:7928:189c:e351:8001
> That's at work. At home I'm behind a pretty dumb NAT and then:
> dulcinea:~ iljitsch$ host dulcinea.bonjour.muada.nl
> dulcinea.bonjour.muada.nl has IPv6 address 2001:470:1f0b:1289:e8b3:2400:d959:f2a9
> This also worked under MacOS 10.4 but as of 10.5 IPv6 addresses were no longer registered using dynamic DNS updates because with the IETF mandate for a stateful firewall the thinking was that for IPv6 incoming sessions were even less likely to work than for IPv4, where at least there's NAT-PMP and uPNP IGD.
> Interestingly, most of the time my temporary address is put in the DNS but one time it was the MAC-derived address.
> If you want to experiment, bonjour.muada.nl accepts dynamic updates without authentication. But remember that if you enable advertising services this is exactly what happens and anyone can see what services you run on which address/port.
A service is offered by Apple using (mobile me?) where kerberos 
(rfc4120) uses the Unique Local Address (ULA rfc4193) and runs a dynamic 
DNS update (rfc2136) where IPsec (rfc4301) is employed for end-to-end 
security.  Kerberos is also used to secure DNS-SD (bonjour) stuck as an 
I-D.  It should not matter whether UPnP or NAT-PMP is used, athough 
NAT-PMP scales without causing excessive traffic.  See 

BTW, it appears RDNSS and DNSSL extensions appear to exist as a set of 
patches about to be released in FreeBSD version 9, along with Capsicum 
sandboxing framework, AES-XTS for block level encryption (such as disk 
drives) that avoids the problems of plain CBC chaining. The latest 
snapshots require Itanium platforms.  The release had been scheduled for 
Sept 7, but appears to be running late.


More information about the Ipv6hackers mailing list