Re: [BEHAVE] Last call: draft-ietf-behave-nat64-discovery-heuristic-09
Mark Andrews <marka@isc.org> Thu, 21 June 2012 02:28 UTC
Return-Path: <marka@isc.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC2E111E808D for <behave@ietfa.amsl.com>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MKqDkz8sRnV for <behave@ietfa.amsl.com>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 2FFA511E8079 for <behave@ietf.org>; Wed, 20 Jun 2012 19:28:10 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 8BE70C9505; Thu, 21 Jun 2012 02:27:58 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:c9d9:2292:9e76:c82d]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id E306A216C33; Thu, 21 Jun 2012 02:27:43 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id A5FA021C825E; Thu, 21 Jun 2012 12:27:36 +1000 (EST)
To: Dave Thaler <dthaler@microsoft.com>, "behave@ietf.org" <behave@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <9B57C850BB53634CACEC56EF4853FF653B62BDA4@TK5EX14MBXW601.wingroup.windeploy.ntdev.microsoft.com> <9B57C850BB53634CACEC56EF4853FF653B66483D@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <4FE250F5.5010505@acm.org>
In-reply-to: Your message of "Wed, 20 Jun 2012 15:38:45 MST." <4FE250F5.5010505@acm.org>
Date: Thu, 21 Jun 2012 12:27:36 +1000
Message-Id: <20120621022736.A5FA021C825E@drugs.dv.isc.org>
Subject: Re: [BEHAVE] Last call: draft-ietf-behave-nat64-discovery-heuristic-09
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2012 02:28:11 -0000
Firstly this draft will not work with a non DNS64 aware intermediate name servers as it will not understand the CD signaling. This goup needs to accept that intermediate name servers will need to be DNS64 aware and go back and redo RFC 6147 accepting that. DNSSEC made the same mistake of trying to make a change work through non DNSSEC aware servers. We gave up trying to do that and accepted that intermediate servers needed to be DNSSEC aware. This working group has continually failed to understand how DNSSEC works. It wanted DNS64 to work with existing DNSSEC aware infrustucture which was specifically designed to defeat what DNS64 does. Instead of saying "We need to make intermediate resolvers DNS64 aware" and accept that DNS64 won't work until those servers are upgraded the same way as dnsext said "We need to make intermediate resolvers DNSSEC aware" it tried to do the impossible. Sending a synthesised response to a DO=1 query is *insane* if the NO DATA response is signed but that is what RFC 6147 says to do. A sane thing to do would have been to add a EDNS extension which returned the synthesised addresses along with the NO DATA response to DNS64 aware clients (signalled by the presence of the option in the query). For non DNS64 aware clients you synthesis unless the synthesis can be detected (DO=1 + a signed NODATA response) in which case you send the signed NO DATA response. The intermediate DNS64 aware recursive server would cache both the NO DATA response and the synthesised addresses from the returned option data. For non DNS64 aware clients the synthesised responses would be returned to clients that can't detect the synthesis and NO DATA would be returned to those that can. For DNS64 aware client the full response would be sent. The EDNS option could also be used to discover prefix information if in addition to the addresses to also sent prefix length data. Query: <code><opt-length=0> Response: <code><opt-length=0> or <code><opt-length><ttl>[<prefixlen><synthesised-address>]+ If the client has a trust relationship with its recursive server to can trust the answer returned and use that to set AD as appropriate to down stream clients. EDNS support is manditory for IPv6 nodes. There is no reason to avoid using it. Go back and fix RFC 6147 to work properly with DNSSEC. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [BEHAVE] Last call: draft-ietf-behave-nat64-disco… Dave Thaler
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Aaron Yi DING
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Andrew Sullivan
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Andrew Sullivan
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Aaron Yi DING
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Andrew Sullivan
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dave Thaler
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dave Thaler
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Andrew Sullivan
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dave Thaler
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Andrew Sullivan
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dan Wing
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Mark Andrews
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Mark Andrews
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Simon Perreault
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Aaron Yi DING
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Mark Andrews
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Aaron Yi DING
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dmitry Anipko
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dmitry Anipko
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call:draft-ietf-behave-nat64-di… Stephan Lagerholm
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call:draft-ietf-behave-nat64-di… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dave Thaler
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dmitry Anipko
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dan Wing
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Marc Petit-Huguenin
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dan Wing
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dmitry Anipko
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… teemu.savolainen
- Re: [BEHAVE] Last call: draft-ietf-behave-nat64-d… Dmitry Anipko