IETF Logo Mail Archive

Re: [BEHAVE] Happy Eyeballs and DNS64 not sending synthetic AAAA RRs

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 05 August 2011 13:53 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B23C21F8661 for <behave@ietfa.amsl.com>; Fri, 5 Aug 2011 06:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WfehcoMPTe7 for <behave@ietfa.amsl.com>; Fri, 5 Aug 2011 06:53:00 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id AF30E21F865B for <behave@ietf.org>; Fri, 5 Aug 2011 06:53:00 -0700 (PDT)
Received: from shinkuro.com (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 581F81ECB41C for <behave@ietf.org>; Fri, 5 Aug 2011 13:53:18 +0000 (UTC)
Date: Fri, 05 Aug 2011 09:53:15 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: behave@ietf.org
Message-ID: <20110805135315.GG49271@shinkuro.com>
References: <916CE6CF87173740BC8A2CE443096962A6F825@008-AM1MPN1-037.mgdnok.nokia.com> <5667E655-22FD-483B-872C-73F9B8667EEC@viagenie.ca> <20110804190632.GJ38760@shinkuro.com> <018201cc52e4$901b9690$b052c3b0$@com> <DD056A31A84CFC4AB501BD56D1E14BBBA78E66@exchange.secure64.com> <025801cc5302$16353ed0$429fbc70$@com> <20110805131009.GD49271@shinkuro.com> <DD056A31A84CFC4AB501BD56D1E14BBBA78E75@exchange.secure64.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DD056A31A84CFC4AB501BD56D1E14BBBA78E75@exchange.secure64.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [BEHAVE] Happy Eyeballs and DNS64 not sending synthetic AAAA RRs
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2011 13:53:01 -0000

On Fri, Aug 05, 2011 at 07:30:12AM -0600, Stephan Lagerholm wrote:
> 
> Something like wing-behave-dns64-config is needed until all hosts supports
> mif-dns-server-selection.

Well, yes, except as you point out it's still at best going to be
heuristic, because the technique in draft-wing-behave-dns64-config is
quite likely to end up hitting the dns64 anyway.

On a slightly different note, Dan, I wonder whether you want to
include discussion of a DNSSEC wrinkle.  Suppose someone uses the
techniques in draft-wing-behave-dns64-config.  If they want the
upstream resolver to do DNSSEC for them, then there will be yet
another problem.  When a resolver sets DO=1 and CD=0 and the upstream
resolver is validating, then a vaidation failure returns SERVFAIL.  A
host might reasonably query the next DNS server it has under those
circumstances (there's a nasty attack here, of course, if your host
has both validating and non-validating upstreams.  Don't Do That).  In
this case, the upstream validation failure will cause the client to
start asking the DNS64.  Of course, as long as the DNS64 is also
validating, it'll return SERVFAIL too, so it might not matter, but it
might be worth noting.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email