Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
"Charles E. Perkins" <charliep@wichorus.com> Sun, 02 August 2009 22:46 UTC
Return-Path: <charliep@wichorus.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15B6C3A6C4F for <behave@core3.amsl.com>; Sun, 2 Aug 2009 15:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uARgnav+QU1c for <behave@core3.amsl.com>; Sun, 2 Aug 2009 15:46:00 -0700 (PDT)
Received: from elasmtp-mealy.atl.sa.earthlink.net (elasmtp-mealy.atl.sa.earthlink.net [209.86.89.69]) by core3.amsl.com (Postfix) with ESMTP id EF8183A6B2C for <behave@ietf.org>; Sun, 2 Aug 2009 15:45:59 -0700 (PDT)
Received: from [99.51.74.16] (helo=[192.168.1.105]) by elasmtp-mealy.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <charliep@wichorus.com>) id 1MXjoX-0008Ej-Q8; Sun, 02 Aug 2009 18:46:02 -0400
Message-ID: <4A761728.6010509@wichorus.com>
Date: Sun, 02 Aug 2009 15:46:00 -0700
From: "Charles E. Perkins" <charliep@wichorus.com>
Organization: WiChorus Inc.
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@shinkuro.com>
References: <20090731074443.GA14355@shinkuro.com> <4A7611F0.9030201@gmail.com>
In-Reply-To: <4A7611F0.9030201@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 137d7d78656ed6919973fd6a8f21c4f2d780f4a490ca6956abb457f1b4332f525cc9cb0489b28e90012450fb0fd02bb7350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 99.51.74.16
Cc: behave@ietf.org
Subject: Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS64 and lying cache servers]
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Aug 2009 22:46:01 -0000
Hello folks, There is a reference below to a disaster that can occur when DNS64 encounters mobility. Is there something more I can read about this? Thanks in advance for any pointers to reading material. Regards, Charlie P. Brian E Carpenter wrote: > It's an interesting point but it misses the point IMHO: > we *have* to lie to classical IPv6-only hosts. > > I've always preferred the stub resolver approach, right back > to draft-van-beijnum-v6ops-mnat-pt-00.txt, but that preference is > useless if the real world contains classical IPv6 hosts. > > Brian > > > On 2009-07-31 19:44, Andrew Sullivan wrote: > >> Dear colleagues, >> >> Some of the participants in dnsext are reluctant to join another >> mailing list the subject of which is mostly not of interest to them. >> I have offered to accept comments from those participants and forward >> them to behave when appropriate and if asked. Attached is one such >> example. >> >> A >> >> >> >> ------------------------------------------------------------------------ >> >> Subject: >> [dnsext] DNS64 and lying cache servers >> From: >> Francis Dupont <Francis.Dupont@fdupont.fr> >> Date: >> Wed, 29 Jul 2009 14:28:26 +0200 >> To: >> namedroppers@ops.ietf.org >> >> To: >> namedroppers@ops.ietf.org >> >> >> [Please forward this to the behave mailing-list] >> >> [I use the term "cache server" as a synonym of "recursive DNS server"] >> >> DNS64 (draft-ietf-behave-dns64-00.txt) is usually presented with >> a cache server serving a lot of NAT64 IPv6-only clients and performing >> AAAA RR synthesis from A RRs to make external IPv4-only servers >> reachable through a NAT64 translator. >> >> So this is essentially a lying cache server: this is *bad* for the >> usual reason (it breaks DNSSEC). Worse, its lie is very location >> dependent, so it has very bad interaction when the DNS is assumed >> to be location independent, for instance with Mobility. >> >> But as explained in the draft at the end of the section 2 Overview >> this is not the only way to deploy DNS64: in the "DNS64 in stub- >> resolver mode" the synthesis is done as close as possible to the >> client so there is no longer lying issues. >> >> Note this doesn't extend to some other lying DNS proposals from >> NAT based IPv6/IPv4 transition mechanisms because DNS64 uses a >> small set of static parameters (mainly the Pref64::/n) which is >> the only state of the synthesis process. >> >> So I recommend the DNSEXT WG to advise to put more work into >> the sub-resolver mode (producing DNS64 capable stub-resolvers, >> which should be very easy, and solving the DNS64 parameter >> distribution issue) than into the DNS server mode which should be >> recognized as an example of a false good idea. >> >> Regards >> >> Francis.Dupont@fdupont.fr >> >> PS: Acknowledgments to Mark Andrews who introduced the strong but >> correct "lying" term, and to Wassim Haddad who remarked DNS64 and >> Mobility together can easily lead to disasters. >> >> -- >> to unsubscribe send a message to namedroppers-request@ops.ietf.org with >> the word 'unsubscribe' in a single line as the message text body. >> archive: <http://ops.ietf.org/lists/namedroppers/> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave >> > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave >
- [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext] DNS… Andrew Sullivan
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… Brian E Carpenter
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… Charles E. Perkins
- Re: [BEHAVE] [Francis.Dupont@fdupont.fr: [dnsext]… teemu.savolainen