Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 06 May 2009 21:33 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BD873A694E for <behave@core3.amsl.com>; Wed, 6 May 2009 14:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[AWL=-0.429, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iImpiOOXcoK for <behave@core3.amsl.com>; Wed, 6 May 2009 14:33:14 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.226]) by core3.amsl.com (Postfix) with ESMTP id 7B49A3A68C2 for <behave@ietf.org>; Wed, 6 May 2009 14:33:14 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id g37so254183rvb.49 for <behave@ietf.org>; Wed, 06 May 2009 14:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=dAxHpYt4fFLLDDDn9lnzmkwQ4LUtNFdbv84t5KkB8TA=; b=hpriiW8FXhhKr0zSJ7V5KEMByX43ydFx90Q7LpdZbbgwkPnQx0+HS007Z8QK32i6Os rePKwV/j/3GPfi2J8fQk2DUJ2gQrC0wJKa3porpRfXOqTJBoFYnVFTJLbkoieB5noPJg JFF6uCIJMDn/l/zsluCXITGYHAGHTuWUS3D3Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=YMurC1tfLEnhE1sSoZ9fctpQRhYExeyybs8zjnSga4nEHZyCkY3z/c6mlI+5BUhTsR fiwudmPtP/xtzZBkcKoRoLybr0j8wQzCQuGcfl8QbykKS1flu7OAfA1J7R8KrkQuTB4u rv9n3owx9+gFLD6cDWAgpsBXgD/ISZinMVjpw=
Received: by 10.114.211.2 with SMTP id j2mr1730048wag.139.1241645680276; Wed, 06 May 2009 14:34:40 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id f20sm13880672waf.52.2009.05.06.14.34.37 (version=SSLv3 cipher=RC4-MD5); Wed, 06 May 2009 14:34:39 -0700 (PDT)
Message-ID: <4A020269.40200@gmail.com>
Date: Thu, 07 May 2009 09:34:33 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Xu Xiaohu <xuxh@huawei.com>
References: <001401c9ce30$9105ac70$5e0c6f0a@china.huawei.com>
In-Reply-To: <001401c9ce30$9105ac70$5e0c6f0a@china.huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: 'Behave WG' <behave@ietf.org>, 'Keith Moore' <moore@network-heretics.com>, 'Fred Baker' <fred@cisco.com>, 'Dan Wing' <dwing@cisco.com>
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2009 21:33:15 -0000
On 2009-05-06 21:53, Xu Xiaohu wrote: > Sorry, there was a mistake in the previous email, please see the corrected > text. > > Except of the DNSSEC and P2P scenarios, the coexistance of IPv6-only hosts > and dual-stack hosts wihin an IPv6 network is also a scenario in which it's > better to allow the hosts, especially those DUAL-STACK hosts to learn the > prefix64 and synthesize the IPv6 addresses for destination IPv4 hosts on > demands, rather than depending on the DNS64 to synthesize AAAA records from > A records no matter the client is IPv6 only or dual-stack.Make sense? Yes, but you're assuming that the IP stacks in the hosts can be modified from basic (RFC2460) behaviour. We certainly need to deal with hosts that only contain a standard resolver, so a DNS64 remains essential for that case. We discussed this in draft-van-beijnum-v6ops-mnat-pt last year, and I don't think the situation has changed much. Brian > > Xiaohu > > >> -----邮件原件----- >> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] >> 代表 Xu Xiaohu >> 发送时间: 2009年5月6日 17:43 >> 收件人: 'Rémi Després'; 'Fred Baker'; 'Marcello Bagnulo Braun'; >> 'Iljitsch van Beijnum'; 'Dan Wing'; 'Keith Moore'; 'Behave WG' >> 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding >> mapped AAAAs inDNS64 >> >> >> >>> O3: If a dual stack host (with both IPv6 and IPv4 enabled >> so that it >>> really acts as dual stack) receives, for an IPv4-only >> server, both an >>> A and a mapped-address AAAA, it should communicate in IPv4 as an >>> effect of existing preferences (for >>> IPv6 addresses over IPv4 addresses if both are available, >> and for the >>> IPv4 stack over the IPv6 stack if the destination address >> is an IPv4 >>> mapped address - according to RFCs 3484 and RFC 2553 respectively). >> Except of the DNSSEC and P2P scenarios, the coexistance of >> IPv6-only hosts and dual-stack hosts wihin an IPv6 network is >> also a scenario in which it's better to allow the hosts, >> especially those IPv6 only hosts to learn the >> prefix64 and synthesize the IPv6 addresses for destination >> IPv4 hosts on demands, rather than depending on the DNS64 to >> synthesize AAAA records from A records no matter the client >> is IPv6 only or dual stack.Make sense? >> >> Xiaohu >> >>> Rules proposed to reach the objective are as follows: >>> >>> (1) IN THE SHORT TERM: >>> >>> R1: DNS64s MUST silently discard mapped-address AAAAs they receive. >>> >>> R2: At the first (non urgent) opportunity, dual stack OSes >> that don't >>> act as follows, MUST be updated to do it: >>> (a) If IPv4 is enabled, datagrams presented at the socket interface >>> with an IPv4 mapped-address as destination MUST be sent in >> IPv4 (RFC >>> 2553 sec >>> 3.7) >>> (b) If IPv4 is not enabled, these datagrams MUST be sent in IPv6. >>> (Relinquishment of an old but unjustified taboo which seems to have >>> prevented some OSes to act this way.) >>> >>> >>> (2) WHEN DUAL STACKS CAN REASONABLY BE EXPECTED TO COMPLY >> WITH R2 (no >>> urgency) >>> >>> R3: IPv4-only hosts MAY start advertising mapped-address AAAAs in >>> their DNS servers (in addition to As). >>> >>> R4: Independently, DNS64s MAY start to forward mapped-address AAAAs >>> (either all of them for simplicity or, if more selectively, >> ensuring >>> that all those that are DNSsec signed are indeed forwarded). >>> >>> >>> >>> In my understanding, these (simple) rules are sufficient to >>> eventually reconcile NAT64s with DNSsec in IPv6-only hosts. >>> And they are so far the only ones I know for this. >>> >>> If the analysis is right, advices on how to proceed would be >>> welcome. (A possibility would be to add appropriate sentences >>> in draft-baker-behave-v4v6-framework and >> draft-bagnulo-behave-dns64.) >>> If the analysis is wrong, it's IMHO worth understanding where. >>> >>> >>> Regards, >>> >>> RD >>> >>> PS: apologies to addressees for the retransmission. I had >>> forgotten the copy to th emailing list. >>> >>> >>> >>> _______________________________________________ >>> Behave mailing list >>> Behave@ietf.org >>> https://www.ietf.org/mailman/listinfo/behave >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] DNSsec in IPv6-only-hosts & discarding m… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Mark Andrews
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Brian E Carpenter
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- [BEHAVE] Question on DNS64 Gabor Bajko
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xuewei Wang
- Re: [BEHAVE] Question on DNS64 Dave Thaler