IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Thu, 10 February 2022 09:46 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFE163A0A85 for <behave@ietfa.amsl.com>; Thu, 10 Feb 2022 01:46:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EhWLlHkmevsC for <behave@ietfa.amsl.com>; Thu, 10 Feb 2022 01:46:02 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49B263A0A7B for <behave@ietf.org>; Thu, 10 Feb 2022 01:46:01 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id E7B96240028 for <behave@ietf.org>; Thu, 10 Feb 2022 10:45:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644486358; bh=Sdya9LsS3vVa9j9av6sbxr7y3kgXFs6mniEZ9Us0/zk=; h=Date:Subject:To:From:From; b=FdhbhCJJYqBQxHkyDpmTgsta0Z5Pvz4zgLSTNkpTJz6+1oTfx3zLemldJg4MxKGoS 5eEZaUAHYx7QWrmneMo+8zrSV4RxsQ3H02jV/y25tgKV62UJWyxpUKvvWU0WT1aGqk FmB/teNsgVGpcYpfiiPCZ0XM3AZ8IWRNBaOWoO6zb2JJREBfHp0geZaIO0IOqksIBd rCWbDJd/Ii+fkWx9qn/sTjPRgvqjTnnaYQJA+FfOcpbg+eYH4mEBJ7Mg1DXm/BEmah DGWk3cqxESbL4Tm1EnSDT5ArSErp0WO5g050mJyqaxs4gt/TTOfkUfRAJ9WP0Qu9Xt K/3cO8//zM9Yw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JvX1d5Ttgz6tmJ for <behave@ietf.org>; Thu, 10 Feb 2022 10:45:57 +0100 (CET)
Message-ID: <9a7c10a6-ca93-5c60-00de-1315fc740713@posteo.de>
Date: Thu, 10 Feb 2022 09:45:55 +0000
MIME-Version: 1.0
Content-Language: de-DE
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net> <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de> <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net> <a4dbfa8c-abb4-e4e7-e53c-d7f54a2e5bf9@posteo.de> <50b919ba-22e5-cfd0-5e44-b905d42c50b7@it.uc3m.es> <8c10d7d6-ad60-2373-c809-1b75b8d1448c@huitema.net> <0f31d5ce-fae5-1673-3b9b-15341c8b052e@it.uc3m.es> <c38f50da-8a0f-c15e-2938-1d33c3620e50@huitema.net> <4b4ef08b-e08f-6e12-d884-211b0c74d9c7@it.uc3m.es>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <4b4ef08b-e08f-6e12-d884-211b0c74d9c7@it.uc3m.es>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms070605080504060802080002"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/ygUUT7yYUl6obW40p8kbyMkZ7W8>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 09:46:08 -0000

On 2022-02-10 08:38, marcelo bagnulo braun wrote:
> El 10/2/22 a las 8:27, Christian Huitema escribió:
>>
>> On 2/9/2022 11:07 PM, marcelo bagnulo braun wrote:
>>
>>> El 7/2/22 a las 19:03, Christian Huitema escribió:
>>>>
>>>>
>>>> On 2/6/2022 10:34 PM, marcelo bagnulo braun wrote:
>>>>> El 7/2/22 a las 3:48, Klaus Frank escribió:
>>>>>> The DNS64 server could be this secure DNS.
>>>>>
>>>>> This would consistent with the deployment scenario presented in 
>>>>> section 7.1 of RFC6147. 
>>>>
>>>>
>>>> Maybe. But the situation has changed since April 2011. ISPs cannot 
>>>> any more assume that all hosts will be using the resolver embedded 
>>>> in the NAT64 gateway -- some hosts, or some applications, may very 
>>>> well use some alternate encrypted DNS service, e.g., using DoH and 
>>>> connect to Quad9, Cloudflare or Google. The cases describe in 
>>>> section 6 of RFC6147 are going to be more and more frequent. We 
>>>> should make them work, and we should tell application developers 
>>>> about that.
>>>>
>>> DNS64 doesnt have to be collocated withthe NAT64 box.
>>>
>>> The scenario 7.1 still holds in case the user is using an external 
>>> reoslver, such as cloudflare. The thing is that the external 
>>> resolver must then implement the DNS64.
>>
>> How does the external resolver know when it should implement DNS64 
>> and when it shouldn't?
>>
>
> I would assume that the external resolver provider makes public which 
> resolver instances implement DNS64 and which do not and the clients 
> select accordingly?
>
Exactly, just look for yourself:

Cloudflare:
* https://developers.cloudflare.com/1.1.1.1/ipv6-networks
* https://developers.cloudflare.com/1.1.1.1/setup-1.1.1.1/linux

Google:
* https://developers.google.com/speed/public-dns/docs/dns64
* https://developers.google.com/speed/public-dns/docs/using

> I guess another alternative would be for the resolver to do dns64 for 
> cusotmers connecting through IPv6 and obtain replies that return only 
> A RR, but this sounds like a bad idea to me....
>
>
>>> This works fine as long as the WKP is used. 
>>
>> Lot's of stuff will work better if the WKP is used...
>>
>> -- Christian Huitema
>>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email