Re: [BEHAVE] Fwd: AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa

Christian Huitema <huitema@huitema.net> Mon, 16 July 2018 20:15 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF7A131192 for <behave@ietfa.amsl.com>; Mon, 16 Jul 2018 13:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSuXys3yeO9a for <behave@ietfa.amsl.com>; Mon, 16 Jul 2018 13:15:28 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEA3D130EE7 for <behave@ietf.org>; Mon, 16 Jul 2018 13:15:27 -0700 (PDT)
Received: from xsmtp06.mail2web.com ([168.144.250.232]) by mx65.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1ff9tt-0002hX-Bq for behave@ietf.org; Mon, 16 Jul 2018 22:15:26 +0200
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1ff9tl-0000am-HG for behave@ietf.org; Mon, 16 Jul 2018 16:15:13 -0400
Received: (qmail 14479 invoked from network); 16 Jul 2018 20:15:05 -0000
Received: from unknown (HELO [192.168.100.102]) (Authenticated-user:_huitema@huitema.net@[80.13.34.254]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <behave@ietf.org>; 16 Jul 2018 20:15:05 -0000
To: Warren Kumari <warren@kumari.net>, behave@ietf.org
References: <CAHw9_iK605yw--xE0NutaF=r+MfmmT2cBj9eNnSOh4Swkx=_QQ@mail.gmail.com> <CAHw9_i+UPqExtwJPFSbWsxn41v52kUavq=VOxJ=R6TGCbHm8Gg@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= xsBNBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAHNJ0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsLAeQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1bOwE0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAcLBfgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <76d00a46-72b1-c270-9984-c2a5357348a7@huitema.net>
Date: Mon, 16 Jul 2018 22:15:05 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAHw9_i+UPqExtwJPFSbWsxn41v52kUavq=VOxJ=R6TGCbHm8Gg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.232
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.16)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5rR7reLNO1zJqcI9I5X00tJ602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO0VmU7heoGtPbmnM2lug8e3TV/3OdXD2Xdo8CfrY5CQSKAQWFZJf9TLRjccBANEotYyz NJVaeAWax4WOe4pTBX2DwIE7VKe+bqpcdCns72R1Sd2ZrHrUfFcPN5PXBq6ur6Xe0Of4jddu9xC8 8+iQ5nb6BRFVjXUbiREH8mlR1JtP/UPTAAMnNuB6/0WWjH77oh6ijzwzq5HGxV3pRhOdYuobeA2G NaAif0QyGEAJd8kel+zffa+S3paXsykGResyE7dAzbZabvf4+eAvvSn0D5YzxzA4C4+ILjmdkQoL 6F7cCSavQBrPoagEXfZ210Cx8bwqyT5p50x81ZKcmzCu2U1l0pLLr6Q2GfeLeJGF+80D4WY7xWSn pVjQVprFFOt2hDWKtLT9WR57oxUvRixjadcobnduoQv5Sp6y3SmK1n5SMPepZn00xVXQbuUt1pns FwEiRQv+PVjjwa+Z5RFCOMTwcD+deSsUec2uUy1l2Ykm/SkjHuYQDxaU4XDpGsg0T9tCZ9RmVnHJ UdzwofXZM+bUdLWq1MCLe4uzYlSTS/YzOILorw8hkXvCsQxELmff7J1gP4HWZlfj1ueWMBAfk0cY VXicmMOpI2clI133E9HJAWCpsuwwFLcJK7RNhb8o8+4jeF7MIDAd/+68q5OewVOs9/WClZ8hMz61 hUh2QVHbskSXyRGWD2l446GdcdNgAoQKSK3P4ypiY56j+sEW5bQ+tU38SL4vC8Dk71a0SIWgTAz/ vUCXk3dj4MGE7pxybpLXQPUO8H9CpGtFZ7WIonLNTt/aVJj3FpzwJHlTKBf4P5hMT+A79/UQxSgW IabEpmvDK3PKrieG7T6bf9hS7hSjMM96sV7dcXymT/Bh/IEEdD/a7oKc1xB6o1ApfCO9+GHf4ys4 4rg2B8/9FmK9a1M2fwlGUBjVgiQQJUTeFgMs
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/SLHnMZpll_OW0Z7HYw0IzEDrir4>
Subject: Re: [BEHAVE] Fwd: AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 20:15:31 -0000

I have never been a great fan of the DNS64 hacks. The DNS64
specification, and RFC7050, are making a set of assumptions about the
DNS infrastructure, the way stub resolvers are configured, and the
possibility for intermediate resolvers to spoof AAAA records on the fly.

One of these assumptions was already on shaky ground when the spec was
written. It is only OK to spoof DNS records if the clients do not insist
on DNSSEC. I don't have good numbers on clients, by I see measurements
showing that over 90% of clients are served by recursive DNS resolvers
that request DNSSEC validation (setting the DNSSEC OK option flage to
1), and over 50% of clients are served by recursive DNS resolvers that
perform DNSSEC validation.

Another assumption is that clients use DNS resolvers that are under the
control of the network provider. Again, current measurement show that
more than 25% of clients are server by third party DNS resolvers. That
number is actually growing steadily. New DNS transports like DNS over
TLS or DNS over HTTPS ensure that the exchanges between clients and
third party resolvers will be pretty much immune to hacking by on-path
middleboxes.

Yet another assumption is that clients expect DNS responses to vary
depending on the interface over which the DNS queries are sent. Again,
this is incompatible with the current trend of using third party
resolvers. That assumption might have worked when applications were only
using DNS resolvers provided by the operating system. But then, we see a
solid trend of moving transport services out of the kernel and into
application libraries. QUIC is an example of that.

These numbers and these trends tell me that technologies like DNS64 will
be very hard to deploy, and also very unreliable when deployed. These
technologies make a number of unwarranted assumptions about the nature
of the DNS service. I don't think that attempting yet another patch like
ipv4only.arpa will help all that much. In fact, I would much prefer to
let 7050 die a deserved death, and maybe hasten that death by
deprecating its status.

-- Christian Huitema



On 7/15/2018 7:20 PM, Warren Kumari wrote:
> Dear BEHAVE,
>
> I sent this to DNSOP a while back, but didn't think to send it to
> behave as well - sorry.
>
> Please see below, and if you have comments, please comment in the
> DNSOP list (so that we don't have overlapping discussions)...
>
>
> Thank you!
> W
>
>
> ---------- Forwarded message ---------
> From: Warren Kumari <warren@kumari.net>;
> Date: Wed, Jul 4, 2018 at 4:26 PM
> Subject: AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa
> To: dnsop <dnsop@ietf.org>;
>
>
> Dear DNSOP,
>
> Stuart Cheshire & David Schinazi have asked me to AD sponsor the
> draft-cheshire-sudn-ipv4only-dot-arpa document
> [0]
> ..
>
> >From the document:
> "The specification for how a client discovers its network's NAT64
> prefix [RFC7050] defines the special name 'ipv4only.arpa' for this
> purpose, but declares it to be a non-special name in that
> specification Domain Name Reservation Considerations section.
> Consequently, despite the well articulated special purpose of the
> name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names
> registry as a name with special properties.
> This document formally declares the actual special properties of the
> name, and adds similar declarations for the corresponding reverse
> mapping names."
>
> RFC7050 ("Discovery of the IPv6 Prefix Used for IPv6 Address
> Synthesis") is worth reading before reading this. If you are mainly a
> DNS person,
> this may be...surprising.
>
>
> When reading draft-cheshire-sudn-ipv4only-dot-arpa there are a few things
> worth
>  keeping in mind:
>
> 1: This is a fairly specialized function - it is used by NAT64 clients
> to discover the prefix used for synthesis ("normal" people /
> applications never need to resolve this). The main people who will
> deal with this are mobile / stack vendors, and NAT64 providers.
> 2: RFC7050 has a large amount of text around DNSSEC, what to do with
> DNSSEC, etc. Note that this DNSSEC is for the FQDN of the *NAT64
> device*, not the ipv4only.arpa name.
> 3: Devices use this mechanism to discover the IPv6 prefix used for
> IPv6 address synthesis - different interfaces (e.g cellular and wifi)
> will have different prefixes. This means that clients
> must
> do this query using the resolver learned on / appropriate for that
> interface. This is the main bit which is weird for a DNS person - the
> response from the resolver for your cellular interface connected to
> T-Mobile contains T-Mobile's NAT64 prefix; the response from the
> resolver learnt over your wifi connection to the IETF network contains
> the NAT64 prefix you use on the IETF network. DNS isn't really being
> used here for resolving names, rather DNS is being used a signalling
> mechanism (a rude t-shirt springs to mind here).
>
> What this draft does is:
> 1: record this in
> the SUDN registry; RFC7050 answered the RFC6761 questions, but didn't
> actually ask the IANA to update the registry.
> 2: requests that the IANA make ipv4only.arpa be an insecure delegation
> (see #2 above) -
> this removes some special handling and complexity.
>
> 3: specifies that you have to use the resolvers learn on an interface
> for these queries. The whole purpose of these queries is to learn the
> *local* NAT64 prefix - asking a public recursive isn't going to help
> you here.
> 4: This is under .arpa (and is already in wide use) - it doesn't have
> the sticky policy problems that many SUD names have.
>
> I've
> agreed
>  to AD sponsor this, but would really appreciate your review and
> input. RFC7050 is deployed - this improves / clarifies things.
>
> 1: The authors have previously presented this document at DNSOP
> meetings - there was some discussion, but no real interest in adopting
> or shouts of outrage about it.
> 2: I've asked the DNSOP chairs if I can use the DNSOP list for
> discussion of this
> (and they agreed)
> 3: This was originally a product of the (now closed) BEHAVE WG - I've
> spoken with Spencer (the BEHAVE AD) who has no objections.
> 4: I've asked the IESG and there were no objections either.
> 5: As this touches .arpa I'm also asking the IAB for input.
> 6: Dave Thaler (who was the document shepherd for RFC7050) has kindly
> agreed to be shepherd for this document too.
>
> W
>
> [0]: note that they asked this before the current "ipv4only.arpa's
> delegation should be insecure." thread -
> https://mailarchive.ietf.org/arch/msg/dnsop/zbcQhok-dCE8kh6C6KofBL1tAXY
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave