IETF Logo Mail Archive

Re: [BEHAVE] Last call: draft-ietf-behave-nat64-discovery-heuristic-09

Mark Andrews <marka@isc.org> Thu, 21 June 2012 02:28 UTC

Return-Path: <marka@isc.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2E111E808D for <behave@ietfa.amsl.com>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MKqDkz8sRnV for <behave@ietfa.amsl.com>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 2FFA511E8079 for <behave@ietf.org>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 8BE70C9505; Thu, 21 Jun 2012 02:27:58 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:c9d9:2292:9e76:c82d]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id E306A216C33; Thu, 21 Jun 2012 02:27:43 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id A5FA021C825E; Thu, 21 Jun 2012 12:27:36 +1000 (EST)
To: Dave Thaler <dthaler@microsoft.com>, "behave@ietf.org" <behave@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <9B57C850BB53634CACEC56EF4853FF653B62BDA4@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com> <9B57C850BB53634CACEC56EF4853FF653B66483D@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <4FE250F5.5010505@acm.org>
In-reply-to: Your message of "Wed, 20 Jun 2012 15:38:45 MST." <4FE250F5.5010505@acm.org>
Date: Thu, 21 Jun 2012 12:27:36 +1000
Message-Id: <20120621022736.A5FA021C825E@drugs.dv.isc.org>
Subject: Re: [BEHAVE] Last call: draft-ietf-behave-nat64-discovery-heuristic-09
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2012 02:28:11 -0000

Firstly this draft will not work with a non DNS64 aware intermediate
name servers as it will not understand the CD signaling.  This goup
needs to accept that intermediate name servers will need to be DNS64
aware and go back and redo RFC 6147 accepting that.

DNSSEC made the same mistake of trying to make a change work through
non DNSSEC aware servers.  We gave up trying to do that and accepted
that intermediate servers needed to be DNSSEC aware.

This working group has continually failed to understand how DNSSEC
works.  It wanted DNS64 to work with existing DNSSEC aware infrustucture
which was specifically designed to defeat what DNS64 does.

Instead of saying "We need to make intermediate resolvers DNS64
aware" and accept that DNS64 won't work until those servers are
upgraded the same way as dnsext said "We need to make intermediate
resolvers DNSSEC aware" it tried to do the impossible.

Sending a synthesised response to a DO=1 query is *insane* if the
NO DATA response is signed but that is what RFC 6147 says to do.

A sane thing to do would have been to add a EDNS extension which
returned the synthesised addresses along with the NO DATA response
to DNS64 aware clients (signalled by the presence of the option in
the query).

For non DNS64 aware clients you synthesis unless the synthesis can
be detected (DO=1 + a signed NODATA response) in which case you
send the signed NO DATA response.

The intermediate DNS64 aware recursive server would cache both the
NO DATA response and the synthesised addresses from the returned
option data.  For non DNS64 aware clients the synthesised responses
would be returned to clients that can't detect the synthesis and
NO DATA would be returned to those that can.  For DNS64 aware client
the full response would be sent.

The EDNS option could also be used to discover prefix information
if in addition to the addresses to also sent prefix length data.

Query:
	<code><opt-length=0>
Response:
	<code><opt-length=0>
or
	<code><opt-length><ttl>[<prefixlen><synthesised-address>]+

If the client has a trust relationship with its recursive server
to can trust the answer returned and use that to set AD as
appropriate to down stream clients.

EDNS support is manditory for IPv6 nodes.  There is no reason to
avoid using it.

Go back and fix RFC 6147 to work properly with DNSSEC.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email