IETF Logo Mail Archive

Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 02 August 2009 22:25 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 398CE3A6988 for <behave@core3.amsl.com>; Sun, 2 Aug 2009 15:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.429
X-Spam-Level:
X-Spam-Status: No, score=-2.429 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z+1E+hOIYkpY for <behave@core3.amsl.com>; Sun, 2 Aug 2009 15:25:38 -0700 (PDT)
Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.183]) by core3.amsl.com (Postfix) with ESMTP id 1C6463A6AE1 for <behave@ietf.org>; Sun, 2 Aug 2009 15:23:46 -0700 (PDT)
Received: by wa-out-1112.google.com with SMTP id v27so445821wah.5 for <behave@ietf.org>; Sun, 02 Aug 2009 15:23:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=H4NCIyAvOOPwxgebrCUORx0x6JXHOI9DGQw7rgK0TGY=; b=gMS5aY8BCBaB0wxmtghzCIJFphDlYJmpRXprDA0itOFX9XLjAB/AJ22lKEhLlTxOkv UZH3PK0ykm8B7fLKlgeD0B2cs4ffFX3Fi44q0ZES8HM18/0lJScqhu0atjV445TC0UKg 3/0AGEyD0eaoLzq5eMyW6SnYeuEgyuGnIkE2k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=IcR7IFvPya+jsqmei+OyhySgpu+AQc7YWjj8hPFpjGhILdwdH2PaUj73/JSCvXMZQm fRGXYqPVN7MRe16BBOp9zY6uyXprt/DaEBoqqvV17gCYZI0Ct3Kf7RlZPFsZke7NAk8G /ae52T1RXBjMoFZ3GukY6zcloRmBBF3+ugehA=
Received: by 10.115.51.19 with SMTP id d19mr5769019wak.208.1249251827768; Sun, 02 Aug 2009 15:23:47 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id k2sm5474077rvb.2.2009.08.02.15.23.46 (version=SSLv3 cipher=RC4-MD5); Sun, 02 Aug 2009 15:23:47 -0700 (PDT)
Message-ID: <4A7611F0.9030201@gmail.com>
Date: Mon, 03 Aug 2009 10:23:44 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@shinkuro.com>
References: <20090731074443.GA14355@shinkuro.com>
In-Reply-To: <20090731074443.GA14355@shinkuro.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: behave@ietf.org
Subject: Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2009 22:25:39 -0000

It's an interesting point but it misses the point IMHO:
we *have* to lie to classical IPv6-only hosts.

I've always preferred the stub resolver approach, right back
to draft-van-beijnum-v6ops-mnat-pt-00.txt, but that preference is
useless if the real world contains classical IPv6 hosts.

   Brian


On 2009-07-31 19:44, Andrew Sullivan wrote:
> Dear colleagues,
> 
> Some of the participants in dnsext are reluctant to join another
> mailing list the subject of which is mostly not of interest to them.
> I have offered to accept comments from those participants and forward
> them to behave when appropriate and if asked.  Attached is one such
> example.
> 
> A
> 
> 
> 
> ------------------------------------------------------------------------
> 
> Subject:
> [dnsext] DNS64 and lying cache servers
> From:
> Francis Dupont <Francis.Dupont@fdupont.fr>
> Date:
> Wed, 29 Jul 2009 14:28:26 +0200
> To:
> namedroppers@ops.ietf.org
> 
> To:
> namedroppers@ops.ietf.org
> 
> 
> [Please forward this to the behave mailing-list]
> 
> [I use the term "cache server" as a synonym of "recursive DNS server"]
> 
> DNS64 (draft-ietf-behave-dns64-00.txt) is usually presented with
> a cache server serving a lot of NAT64 IPv6-only clients and performing
> AAAA RR synthesis from A RRs to make external IPv4-only servers
> reachable through a NAT64 translator.
> 
> So this is essentially a lying cache server: this is *bad* for the
> usual reason (it breaks DNSSEC). Worse, its lie is very location
> dependent, so it has very bad interaction when the DNS is assumed
> to be location independent, for instance with Mobility.
> 
> But as explained in the draft at the end of the section 2 Overview
> this is not the only way to deploy DNS64: in the "DNS64 in stub-
> resolver mode" the synthesis is done as close as possible to the
> client so there is no longer lying issues.
> 
> Note this doesn't extend to some other lying DNS proposals from
> NAT based IPv6/IPv4 transition mechanisms because DNS64 uses a
> small set of static parameters (mainly the Pref64::/n) which is
> the only state of the synthesis process.
> 
> So I recommend the DNSEXT WG to advise to put more work into
> the sub-resolver mode (producing DNS64 capable stub-resolvers,
> which should be very easy, and solving the DNS64 parameter
> distribution issue) than into the DNS server mode which should be
> recognized as an example of a false good idea.
> 
> Regards
> 
> Francis.Dupont@fdupont.fr
> 
> PS: Acknowledgments to Mark Andrews who introduced the strong but
> correct "lying" term, and to Wassim Haddad who remarked DNS64 and
> Mobility together can easily lead to disasters.
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email