Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
<teemu.savolainen@nokia.com> Mon, 03 August 2009 06:42 UTC
Return-Path: <teemu.savolainen@nokia.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6D6C3A6D53 for <behave@core3.amsl.com>; Sun, 2 Aug 2009 23:42:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.798
X-Spam-Level:
X-Spam-Status: No, score=-5.798 tagged_above=-999 required=5 tests=[AWL=0.801, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eF14aeRxJjSM for <behave@core3.amsl.com>; Sun, 2 Aug 2009 23:42:56 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id E0ADB3A6D63 for <behave@ietf.org>; Sun, 2 Aug 2009 23:42:55 -0700 (PDT)
Received: from vaebh106.NOE.Nokia.com (vaebh106.europe.nokia.com [10.160.244.32]) by mgw-mx06.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n736gTIe021051; Mon, 3 Aug 2009 09:42:42 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by vaebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 3 Aug 2009 09:42:36 +0300
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 3 Aug 2009 09:42:36 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 3 Aug 2009 09:42:27 +0300
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Mon, 3 Aug 2009 08:42:25 +0200
From: teemu.savolainen@nokia.com
To: charliep@wichorus.com, ajs@shinkuro.com, Francis.Dupont@fdupont.fr
Date: Mon, 03 Aug 2009 08:41:21 +0200
Thread-Topic: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
Thread-Index: AcoTwwoDQ50kzBAjSsicpjXtSyQjWgAQWyXQ
Message-ID: <18034D4D7FE9AE48BF19AB1B0EF2729F3A70E27FC5@NOK-EUMSG-01.mgdnok.nokia.com>
References: <20090731074443.GA14355@shinkuro.com> <4A7611F0.9030201@gmail.com> <4A761728.6010509@wichorus.com>
In-Reply-To: <4A761728.6010509@wichorus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 03 Aug 2009 06:42:27.0060 (UTC) FILETIME=[90D2B340:01CA1405]
X-Nokia-AV: Clean
Cc: behave@ietf.org
Subject: Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2009 06:42:57 -0000
Hi, For me this sounds exactly like the split-DNS problem I describe here: draft-savolainen-mif-dns-server-selection (http://tools.ietf.org/html/draft-savolainen-mif-dns-server-selection-00) and what we discuss in MIF WG. Essentially even today multi-interfaced hosts can not really trust DNS information being fully coherent between different administrative domains. I plan to include the faked AAAA records as additional example of private information DNS servers are providing, and information that must be used only in the administrative domain they were learned from. Best regards, Teemu >-----Original Message----- >From: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] >On Behalf Of ext Charles E. Perkins >Sent: 03 August, 2009 01:46 >To: Andrew Sullivan >Cc: behave@ietf.org >Subject: Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] >DNS64 and lying cache servers] > > >Hello folks, > >There is a reference below to a disaster that can occur when >DNS64 encounters mobility. Is there something more I can read >about this? > >Thanks in advance for any pointers to reading material. > >Regards, >Charlie P. > > > >Brian E Carpenter wrote: >> It's an interesting point but it misses the point IMHO: >> we *have* to lie to classical IPv6-only hosts. >> >> I've always preferred the stub resolver approach, right back to >> draft-van-beijnum-v6ops-mnat-pt-00.txt, but that preference >is useless >> if the real world contains classical IPv6 hosts. >> >> Brian >> >> >> On 2009-07-31 19:44, Andrew Sullivan wrote: >> >>> Dear colleagues, >>> >>> Some of the participants in dnsext are reluctant to join another >>> mailing list the subject of which is mostly not of interest to them. >>> I have offered to accept comments from those participants >and forward >>> them to behave when appropriate and if asked. Attached is one such >>> example. >>> >>> A >>> >>> >>> >>> >--------------------------------------------------------------------- >>> --- >>> >>> Subject: >>> [dnsext] DNS64 and lying cache servers >>> From: >>> Francis Dupont <Francis.Dupont@fdupont.fr> >>> Date: >>> Wed, 29 Jul 2009 14:28:26 +0200 >>> To: >>> namedroppers@ops.ietf.org >>> >>> To: >>> namedroppers@ops.ietf.org >>> >>> >>> [Please forward this to the behave mailing-list] >>> >>> [I use the term "cache server" as a synonym of "recursive DNS >>> server"] >>> >>> DNS64 (draft-ietf-behave-dns64-00.txt) is usually presented with a >>> cache server serving a lot of NAT64 IPv6-only clients and >performing >>> AAAA RR synthesis from A RRs to make external IPv4-only servers >>> reachable through a NAT64 translator. >>> >>> So this is essentially a lying cache server: this is *bad* for the >>> usual reason (it breaks DNSSEC). Worse, its lie is very location >>> dependent, so it has very bad interaction when the DNS is >assumed to >>> be location independent, for instance with Mobility. >>> >>> But as explained in the draft at the end of the section 2 Overview >>> this is not the only way to deploy DNS64: in the "DNS64 in stub- >>> resolver mode" the synthesis is done as close as possible to the >>> client so there is no longer lying issues. >>> >>> Note this doesn't extend to some other lying DNS proposals from NAT >>> based IPv6/IPv4 transition mechanisms because DNS64 uses a >small set >>> of static parameters (mainly the Pref64::/n) which is the >only state >>> of the synthesis process. >>> >>> So I recommend the DNSEXT WG to advise to put more work into the >>> sub-resolver mode (producing DNS64 capable stub-resolvers, which >>> should be very easy, and solving the DNS64 parameter distribution >>> issue) than into the DNS server mode which should be >recognized as an >>> example of a false good idea. >>> >>> Regards >>> >>> Francis.Dupont@fdupont.fr >>> >>> PS: Acknowledgments to Mark Andrews who introduced the strong but >>> correct "lying" term, and to Wassim Haddad who remarked DNS64 and >>> Mobility together can easily lead to disasters. >>> >>> -- >>> to unsubscribe send a message to namedroppers-request@ops.ietf.org >>> with the word 'unsubscribe' in a single line as the message >text body. >>> archive: <http://ops.ietf.org/lists/namedroppers/> >>> >>> >>> >--------------------------------------------------------------------- >>> --- >>> >>> _______________________________________________ >>> Behave mailing list >>> Behave@ietf.org >>> https://www.ietf.org/mailman/listinfo/behave >>> >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave >> > >_______________________________________________ >Behave mailing list >Behave@ietf.org >https://www.ietf.org/mailman/listinfo/behave >
- [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS… Andrew Sullivan
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… Brian E Carpenter
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… Charles E. Perkins
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… teemu.savolainen