[BEHAVE] Some thoughts on DNS synthesis in DNS64, DNS46, and BIH
Dave Thaler <dthaler@microsoft.com> Wed, 10 November 2010 02:56 UTC
Return-Path: <dthaler@microsoft.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82DAA3A6452 for <behave@core3.amsl.com>; Tue, 9 Nov 2010 18:56:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.501
X-Spam-Level:
X-Spam-Status: No, score=-110.501 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Gasy+4N9YiO for <behave@core3.amsl.com>; Tue, 9 Nov 2010 18:56:46 -0800 (PST)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id BDC8D3A67B7 for <behave@ietf.org>; Tue, 9 Nov 2010 18:56:46 -0800 (PST)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 9 Nov 2010 18:57:12 -0800
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.1.255.3; Tue, 9 Nov 2010 18:57:12 -0800
Received: from TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com ([169.254.1.224]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Tue, 9 Nov 2010 18:57:12 -0800
From: Dave Thaler <dthaler@microsoft.com>
To: "'behave' (behave@ietf.org)" <behave@ietf.org>
Thread-Topic: Some thoughts on DNS synthesis in DNS64, DNS46, and BIH
Thread-Index: AcuAapoW8Zqvt5tuQ1CaZ4ZlEK3POAAGASvg
Date: Wed, 10 Nov 2010 02:57:09 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF6534381706@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_9B57C850BB53634CACEC56EF4853FF6534381706TK5EX14MBXW601w_"
MIME-Version: 1.0
Subject: [BEHAVE] Some thoughts on DNS synthesis in DNS64, DNS46, and BIH
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 02:56:52 -0000
Thinking about the comments on BIH led me to the following observations.
draft-ietf-behave-dns64 section 5.1.4 ("Special exclusion set for AAAA records")
talks about how to handle the fact that some IPv6 addresses are not actually
usable by IPv6-only hosts, and recommends that the DNS64 be configurable
with a set of prefixes to ignore and synthesize anyway, and not return the
original response but only the synthesized one. However there's currently
no text in the dns64 document that says that an admin shouldn't configure
::/0 as an exclusion range.
draft-xli-behave-dns46-for-stateless is supposed to be the DNS46 equivalent
of DNS64. However, it currently doesn't contain any text equivalent to the
above exclusion set. I think this is in error and it should have similar text
(really it should have minimal diffs from DNS64). You could have bogus
A records with 127.0.0.1, 169.*, and other bogon ranges just like bogus AAAA records.
So really the possibilities for synthesis are:
a) Never synthesize if you get any address regardless of validity
b) Perform some hard-coded exclusions
c) Perform configurable exclusions
d) Perform dynamically detected (i.e. autoconfigured or learned) exclusions
based on some not-currently-defined mechanism
The contentious BIH topic is just a special case of dns46, and the same
possibilities apply. My opinion is that BIH and dns46 should have text
equivalent to dns64 section 5.1.4.
An implementer of any DNS synthesis mechanism (whether DNS64, DNS46,
or the BIH use of DNS46) should just implement the ability to have
configurable exclusions (c in the above list).
The rest of the discussion is then just about guidance to those who configure
such things, and what is or is not appropriate to exclude. And various
categories exist independent of DNS46 vs DNS64 vs BIH that can be
discussed as to whether they should be excluded by default, are ok
to configure to exclude, or should not be configured exclusions, listed
below in rough order of least-to-most contentious:
* Addresses that should never appear in DNS or on the wire
* Addresses that are known to be permanently unreachable (e.g.
net 10, ULA space) from the DNS synthesizer's network
* Addresses that are observed to be problematic/flaky (maybe 6to4
in some cases?)
* Addresses that would work but the admin would prefer to avoid
by policy
* All addresses for a given IP version (which actually might be the
same as one of the previous 3)
-Dave
- [BEHAVE] Some thoughts on DNS synthesis in DNS64,… Dave Thaler
- Re: [BEHAVE] Some thoughts on DNS synthesis in DN… teemu.savolainen