IETF Logo Mail Archive

[dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?

Ted Lemon <Ted.Lemon@nominum.com> Fri, 05 July 2013 18:01 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dns-dir@ietfa.amsl.com
Delivered-To: dns-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7472921F9FBE for <dns-dir@ietfa.amsl.com>; Fri, 5 Jul 2013 11:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJOIS7f2WNco for <dns-dir@ietfa.amsl.com>; Fri, 5 Jul 2013 11:01:08 -0700 (PDT)
Received: from exprod7og106.obsmtp.com (exprod7og106.obsmtp.com [64.18.2.165]) by ietfa.amsl.com (Postfix) with ESMTP id 52C0F21F9F71 for <dns-dir@ietf.org>; Fri, 5 Jul 2013 11:01:05 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob106.postini.com ([64.18.6.12]) with SMTP ID DSNKUdcJ0hP5iW71QUdV0QSKcH+QYc6E/BG+@postini.com; Fri, 05 Jul 2013 11:01:08 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 822671B81C2 for <dns-dir@ietf.org>; Fri, 5 Jul 2013 11:00:50 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id 7A913190060 for <dns-dir@ietf.org>; Fri, 5 Jul 2013 11:00:50 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-02.WIN.NOMINUM.COM ([64.89.228.132]) with mapi id 14.02.0318.004; Fri, 5 Jul 2013 11:00:50 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: "dns-dir@ietf.org" <dns-dir@ietf.org>
Thread-Topic: Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
Thread-Index: AQHOeamUmjzjt8mrPkqzsdRgwvoIYg==
Date: Fri, 05 Jul 2013 18:00:49 +0000
Message-ID: <8D23D4052ABE7A4490E77B1A012B630775200A1E@mbx-01.win.nominum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9D5AE0152C90C4499835CBBEBE686B66@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 18:01:14 -0000

This is a document about how to disable IPv6 on corporate networks, for those who swing that way.   The bit of text I am concerned with is this:

   For this reason, networks attempting to prevent IPv6 traffic from
   traversing their devices should consider configuring their local
   recursive DNS servers to respond to queries for AAAA DNS records with
   a DNS RCODE of 0 (NOERROR) [RFC1035] or to silently ignore such
   queries, and should even consider filtering AAAA records at the
   network ingress point to prevent the internal hosts from attempting
   their own DNS resolution.  This will ensure that hosts which are on
   an IPv4-only network will only receive DNS A records, and they will
   be unlikely to attempt to use (likely broken) IPv6 connectivity to
   reach their desired destinations.

This looks like bad advice to me.   I'm not convinced that there is a safe way to do what is proposed here.   What do you all think?

The complete document is here:

	http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05

Thanks!

v2.23.0 | Report a Bug | By Email