Re: [dns-dir] [tim.polk@nist.gov: DISCUSS: <draft-ietf-behave-dns64-10.txt>]

Patrik Fältström <paf@cisco.com> Mon, 23 August 2010 14:43 UTC

Return-Path: <paf@cisco.com>
X-Original-To: dns-dir@core3.amsl.com
Delivered-To: dns-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1116E3A6A53 for <dns-dir@core3.amsl.com>; Mon, 23 Aug 2010 07:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.398
X-Spam-Level:
X-Spam-Status: No, score=-8.398 tagged_above=-999 required=5 tests=[AWL=-1.299, BAYES_50=0.001, J_CHICKENPOX_44=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzkYRbUIRdUT for <dns-dir@core3.amsl.com>; Mon, 23 Aug 2010 07:43:21 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id D3B123A6A3F for <dns-dir@ietf.org>; Mon, 23 Aug 2010 07:43:20 -0700 (PDT)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIYmckxAZnwN/2dsb2JhbACgLnGfUJtIhTcEiXY
X-IronPort-AV: E=Sophos;i="4.56,257,1280707200"; d="scan'208";a="150889131"
Received: from rtp-core-2.cisco.com ([64.102.124.13]) by rtp-iport-2.cisco.com with ESMTP; 23 Aug 2010 14:43:34 +0000
Received: from [192.165.72.14] (dhcp-10-55-83-170.cisco.com [10.55.83.170]) by rtp-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o7NEhWjx009860; Mon, 23 Aug 2010 14:43:33 GMT
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=iso-8859-1
From: =?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?= <paf@cisco.com>
In-Reply-To: <20100820173329.GF96071@shinkuro.com>
Date: Mon, 23 Aug 2010 16:43:32 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C73DF394-D57C-4449-B98B-15E3AAF1FE28@cisco.com>
References: <20100812144452.GC63338@shinkuro.com> <869C5178-0637-4374-9841-FB5393469C6E@gmail.com> <FD0919FD-75E6-4639-919E-5D3909BD7D04@cisco.com> <20100820173329.GF96071@shinkuro.com>
To: Andrew Sullivan <ajs@shinkuro.com>
X-Mailer: Apple Mail (2.1081)
Cc: Suzanne Woolf <woolf@isc.org>, draft-ietf-behave-dns64@tools.ietf.org, IETF Directorate DNS <dns-dir@ietf.org>
Subject: Re: [dns-dir] [tim.polk@nist.gov: DISCUSS: <draft-ietf-behave-dns64-10.txt>]
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2010 14:43:25 -0000

[copying also Suzanne that had some questions]

On 20 aug 2010, at 19.33, Andrew Sullivan wrote:

> Hi Patrik,
> 
> Thanks for your detailed review.  The document is now under IESG
> control, so I can make some suggestions but I can't actually make any
> of these changes yet.  See below inline.

I of course do understand that we at this late stage rather want to have the document released than pushing it back to the WG. I have tried to explain below what things I do though absolutely would like to have clarified and not. And yes, you and I seems to be on the same wavelength here.

> On Thu, Aug 19, 2010 at 11:28:22AM +0200, Patrik Fältström wrote:
>>>  of one or more DNS64-enabled name servers.  However, some advanced
>>>  features require performing the DNS64 function directly in the end-
>>>  hosts themselves.
>> 
>> I do not like words like "advanced" in texts like these. Why is for example "validation of DNSSEC records in the end host resolver" to be "advanced"?
>> 
> 
> So if we just remove it, that'd be ok?

Yes. I.e. do not do any judgement. And specifically for DNSSEC, that is something people should not be scared away from, which they might be with text like this. "Oh no, advanced stuff, costs $$$."

>> In the non-normative section, the following important information exists:
>> 
>>>  (NOTE: By IPv6-only hosts we mean hosts running IPv6-only
>>>  applications, hosts that can only use IPv6, as well as cases where
>>>  only IPv6 connectivity is available to the client.  By IPv4-only
>>>  servers we mean servers running IPv4-only applications, servers that
>>>  can only use IPv4, as well as cases where only IPv4 connectivity is
>>>  available to the server).
> 
> We could restate this in the definitions section.  Ok?

I think that would be good.

>>> 3.  Background to DNS64-DNSSEC interaction
>> 
>> As section 2 explicitly is non-normative, is section 3 normative as it is not say that it is not?
> 
> You raise this several times.  I think you're right.  I suggest that
> we alter the Introduction and state there explicitly which sections
> are normative and which not.  Ok?

What I think you should do is one of two things:

1. In the introduction mention what is normative and not, and then remove that text from the various sections.

2. Add in each section a word, text etc on the status of that section. But do it the same way in every section.

I think (1) is the best.

Be consistent.

>> I think personally it would be better to, for each of the alternatives, compare the DNS64 impact on resolver and server than list (again) a more comprehensive DNSSEC behaviour list like this. But that is a personal opinion.
> 
> Well, this was intended to be explanatory material for someone who was
> implementing this but not familiar with DNSSEC.  Otherwise I was
> nervous that the reasoning behind not synthesizing when CD=1 wouldn't
> be clear.

Ok. Fair.

>>>  1.  A DNS64 (DNSSEC-aware or DNSSEC-oblivious) receives a query with
>>>      the DO bit clear.  In this case, DNSSEC is not a concern, because
>>>      the querying agent does not understand DNSSEC responses.
>> 
>> Should not it be mentioned that the DNS64, if being a DNS64 resolver, very well can do validation of the response, and act according to local policy? Similar to a case 5, but with local policy?
> 
> We can if you like, sure.

Yes please. The way I read the text above it says that for the resolver "DNSSEC is not a concern", which might be read as if the resolver is not to do validation (at all). I can very well envision cases where A buys a service from B where B runs the DNS64 service (and Nat64) and requires validation in the resolver. If B now does NOT do validation, I do not want B to reference this document and say "as you did send DO bit clear, I ignore DNSSEC completely -- see RFC".

>>>  4.  A security-aware and non-validating DNS64 receives a query with
>>>      the DO bit set and the CD bit set.  In this case, the resolver is
>> 
>> What is "resolver" in this sentence? Looks to me that this is written only for the "DNS64 resolver" cases and not the DNS64 server case?
> 
> Ugh.  It does look like we have terminological issues here.  I thought
> I'd weeded this out in a previous pass, but I think I did it only in
> the normative sections, perhaps.  Yuck.
> 
> It is indeed supposed to include the DNS64 server case.  For reasons
> that are not clear to me, some have insisted that a DNS authoritative
> server that is doing DNS64 could do so automatically, without anyone
> actually provisioning the AAAA records with the Pref::/64.  I don't
> personally get this use case at all, but people have insisted on it so
> it's possible.

When I have read this document (this version and older versions) I have also been confused. I think the DNS64 server case is so special it just does not make any sense. And, I feel the authoritative server then by definition is authoritative for the records regardless of whether they are "configured" or "synthesized on the fly" (whats the difference?).

I.e. the whole document could be so extremely more simple of the DNS64 server case was indeed a special case explained just in a separate section where it is explained that "if the DNS64 recursive resolver is indeed authoritative for some zone(s) it is getting queries for, it should ...".

And then have the document ONLY talk about the two resolver cases.

But I do see your issue with restructuring "too much".

Unfortunately as the document now talk about DNS64 server it just has to. Otherwise it must go back to the wg.

>> Here one say "DNS64 server" and claim that it "modifies" the record. I do not understand what "modifies" implies at an authoritative server, as for me whatever comes from an authoritative server is the authoritative record. There is nothing that is modified. The records (the AAAA records) can in the case of a DNS64 server very well be signed AAAA records that are very stable and never changed. I.e. pre-populated in the zone and not at all something that is synthesized, and signed!
> 
> Remember that strictly speaking the DNS64 is a logical function.  So
> the name server function in the DNS64 (which is technically speaking
> never exposed to anyone) only provides the A record, and the DNS64
> function "modifies" it.

Yes but...

> I concede that it is a little uncomfortable
> to talk like this, but it preserves the logical distinction between an
> actual DNS64 server, and a plain DNS server that happens to have in it
> AAAA records using the Pref::/64.  Does that make sense?

Yes, it does make sense. I still do not like it ;-)

>>>  5.  A security-aware and validating DNS64 node receives a query with
>> 
>> Here is a new term, DNS64 node. Is that the same as "a DNS64" earlier, i.e. one of the three cases? I think in reality it is one of the "DNS64 resolver" cases one talk about here, and not "DNS64 server".
> 
> Yeah, it's a resolver.  (A DNS64 authority server never validates.)
> We'll have to go through and fix up the terminology to be consistent
> with the terminology section.

Should not be so hard I think. Just make up your mind. And ensure you for every case talk about every case.

>>>  Authoritative server:  A DNS server that can answer authoritatively a
>>>  given DNS question.
>> 
>> Is "question" the correct term? I ask...
>> 
>> I try to say "Respond authoritatively to a DNS request" but I also know that some people do think it is a good thing to say query/answer when it explicitly is a query we talk about.
> 
> If only the DNS geeks had a consistent set of terms, eh?  Oh, wait.
> I'm also ok with request.

Just make up your mind, and ensure you do not get stuck if DNS64 is used for dynamic updates... Maybe you should just be clear if you talk about all query types or not? Maybe you are...I do not have the document in front of me now.

I have, honestly, not really been thinking of what happens with DNS64 and dynamic updates and other non-queries.

>>>  DNS64:  A logical function that synthesizes DNS resource records (e.g
>>>     AAAA records containing IPv6 addresses) from DNS resource records
>>>     actually contained in the DNS (e.g., A records containing IPv4
>>>     addresses).
>> 
>> Does it have to be synthesized? Also if it is a DNS64 server?
> 
> Yes.

Ok. I understand that is how it is designed. Mumble...

>>>  DNS64 recursor:  A recursive resolver that provides the DNS64
>>>     functionality as part of its operation.  This is the same thing as
>>>     "DNS64 in recursive resolver mode".
>> 
>> Above, in the non-normative section, this was called "DNS64 resolver" as well. Is "DNS64 recursor" a subset of "DNS resolver"? If it is, should not "DNS64 stub" also be defined?
> 
> I don't think we have anywhere in the document where we really needed
> a DNS64 stub definition, so I removed it.  But I'm happy to add it
> back if you think it helps.  Dave Thaler in particular was keen that
> we not define additional terms we don't strictly need.

No, I do not think we should have more terms.

My point was that it was called "DNS64 resolver" and here you have "DNS64 recursor". Below you talk about "stub resolver" and "recursive resolver", above "recursor".

>>>  DNS64 resolver:  Any resolver (stub resolver or recursive resolver)
>>>     that provides the DNS64 function.
>>> 
>>>  DNS64 server:  Any server providing the DNS64 function.
>> 
>> Authoritative server, or also resolvers?
> 
> Any server.  So it could be a recursive resolver, yes.  This means
> that such a beast would be both a DNS64 server and a DNS64 resolver.
> That's consistent with the dual name of recursive servers/recursive
> resolvers in plain DNS, though, no?

Yes. I do think you try to define things like this:

DNS64 recursive resolver
DNS64 stub resolver
DNS64 authoritative server
DNS64 resolver: DNS recursive resolver + DNS64 stub resolver
DNS64 server: DNS recursive resolver + DNS64 authoritative server

I.e. ensure you absolutely do have the sets clearly defined, without any grammar changes in English. Not all readers do understand what "recursor" is. Is that a new term?

>>>  Recursive resolver:  A DNS server that accepts requests from one
>>>     resolver, and asks another server (of some description) for the
>>>     answer on behalf of the first resolver.
>> 
>> Is this the same definition as in other documents?
> 
> Ha!  If only 1034 actually defined this.  RFC 4033 has this, which is
> as close to a definition as we have:
> 
>   Security-Aware Recursive Name Server: An entity that acts in both the
>      security-aware name server and security-aware resolver roles.  A
>      more cumbersome but equivalent phrase would be "a security-aware
>      name server that offers recursive service".
> 
> We could follow the same convention, and define recursive resolver as
> a system that acts in both name server and resolver modes, and then
> we'd need to define name server and resolver.  Name server is kind of
> defined in 1034 Sec 2.4., as is resolver.  The text in 1034 is
> sufficiently poor that many people seem to forget that recursive name
> servers can end up cached (sometimes without people knowing it), and I
> was trying to draw that information out.  But maybe this is a poor
> place to do so.

Mumble...we need a DNS terminology document. Although, we would never agree on anything in that document...

>>>  Synthetic RR:  A DNS resource record (RR) that is not contained in
>>>     any zone data file, but has been synthesized from other RRs.  An
>>>     example is a synthetic AAAA record created from an A record.
>> 
>> Mumble, is "zone data file" a good wording? Should one not talk about "generated on request" instead? Maybe it is the best wording? Although some records might be in a database, and not at all in a file.
> 
> Yeah, I originally had just "any zone data", and someone insisted that
> wasn't good enough because the synthetic RR could be in a cache
> somewhere.  (For the same reason, "generated on request" won't exactly
> work either.)  What about this:
> 
>    Synthetic RR: A DNS resource record (RR) that is not contained in
>      the authoritative servers' zone data, but which is instead
>      sythesized from other RRs in the same zone.  An example is a
>      synthetic AAAA record created from an A record.
> 
> ?

Yes, much better. Thanks.

That include all RR that are generated. Not only the ones that are generated on request.

>>>  DNS64 is a logical function that synthesizes AAAA records from A
>>>  records.  The DNS64 function may be implemented in a stub resolver,
>>>  in a recursive resolver, or in an authoritative name server.
>> 
>> In an authoritative server they do not have to be synthesized.
> 
> In that case, it's not DNS64.  We actually suggest later in the
> document that you should not use DNS64 on the authoritative server,
> and that you should instead populate the real zone with the relevant
> records if you're planning to use NAT64.  Is this not clear?

It is. Comments to some degree end up like this if one read detailed review in a one-pass-process.

>>> 5.1.2.  The answer when there is an error
>>> 
>> 
>> Maybe a reference to 5.1.6/5.1.7 (see below) here.
> 
> Ok.
> 
>>> 5.1.4.  Special exclusion set for AAAA records
>> 
>> This section is confusing, as other 5.1.* sections are alternatives. I.e. "issue an AAAA query, and do the following if this happens". Specifically as 5.1.4 is before 5.1.6 which is another alternative parallel to for example 5.1.2.
>> 
>> I.e. I think it would be better if the document was like this (not critical though):
>> 
>> 5. Behaviour
>> 
>> 5.1. Queries for AAAA
>> 
>> Issue a query for AAAA, and behave like the following:
>> 
>> 5.1.1. A non-empty answer section, where the AAAA is not in the special range
>> 
>> 5.1.2. A non-empty answer section, where the AAAA is in the special range
>> 
>> 5.1.3. A non-empty answer section, with CNAME or DNAME
>> 
>> 5.1.4. An answer with Errcode 3
>> 
>> 5.1.5. Other errcodes
>> 
>> I.e. like a flowchart. One of the subsections matches. That makes it easier to know what to do and how to implement.
> 
> Ok.  To do this, I think, we'd need to take it back to the WG and
> through LC again, no?  That's a pretty significant change.

Do not do the change.

But you do understand my view?

I.e. have the sections like a flowchart.

1. DNS64 server that receives a query for AAAA
1.1. Issue query for AAAA
1.1.1. If RR Code is zero
1.1.2. If RR Code is non-zero
1.2. Issue query for A
1.2.1. If RR Code is zero
1.2.2. If RR Code is non-zero
2. DNS64 server that receives a query for PTR
3. DNS64 server that receives a query for other RR Types
4. Synthezising responses

Etc...

Then one can do section 1 and 2 and 3, follow step by step, and then get references to section 4, 5 etc as subroutines. As it is now the flowchart is sort of mixed with "think of this if the errcode is..." or "this is how you synthesizes a record".

Next version of the document.

>>> 5.1.6.  Data for the answer when performing synthesis
>> :
>>> 5.1.7.  Performing the synthesis
>> 
>> 5.1.6 and 5.1.7 should really be merged, and the section should be "errcode != 3 and an empty answer section"
> 
> Why?  These are strictly speaking distinct steps.  After all, if you
> wanted to populate your authoritative zone with DNS data that would
> cause a NAT64 to be used, you'd want the output from 5.1.6 but not
> 5.1.7, right?

Explanation to my view: It might be confusing for the reader to understand that it should do more than one subsection of 5.1 but still not all of them. I.e. the way I like documents, subsections should either all of them be used, or only one, and in the latter case, the header (or first paragraph) should clearly have a requirement or test that should evaluate to TRUE if the section is to be used.

But ok... I see your way of looking at it.

>>>  o  The TTL field is set to the minimum of the TTL of the original A
>>>     RR and the SOA RR for the queried domain.  (Note that in order to
>>>     obtain the TTL of the SOA RR, the DNS64 does not need to perform a
>>>     new query, but it can remember the TTL from the SOA RR in the
>>>     negative response to the AAAA query.  If the SOA RR was not
>>>     delivered with the negative response to the AAAA query, then the
>>>     DNS64 SHOULD use a default value of 600 seconds.
>> 
>> Not really...it should be the smallest of 600 and the TTL for the A, right?
> 
> Oh, good catch.

Yeah! One good catch! :-D

>>>     It is possible
>>>     instead to query explicitly for the SOA RR and use the result of
>>>     that query, but this will increase query load and time to
>>>     resolution for little additional benefit.)  This is in keeping
>>>     with the approach used in negative caching ([RFC2308]
>> 
>> Why not just stop after saying it should be the smallest of the TTL of the A and the SOA, and then let the rest be up to the implementor? I am nervous over more "fixed default values" for negative caching. If the SOA was not returned, then the DNS64 have to query for it.
> 
> I felt the same way, but the WG (and Mark Andrews in particular) was
> quite sure we needed a default.

Hmm...ok.

>>>  o  The RDLENGTH field is set to 16
>>> 
>>>  o  The RDATA field is set to the IPv6 representation of the IPv4
>>>     address from the RDATA field of the A record.  The DNS64 SHOULD
>>>     check each A RR against configured IPv4 address ranges and select
>>>     the corresponding IPv6 prefix to use in synthesizing the AAAA RR.
>> 
>> Why only a SHOULD? And, is this not an implementation issue?
> 
> Someone wanted to be able to short-circuit this check if there's only
> one address range configured.

Well, then it is really checking every IPv4 A still, right? The check always returns the one same IPv6 prefix.

Mumble. I am really nervous there will not be a test here in some implementations. I.e. that someone will screw up. Ok, I do know the meaning of SHOULD, but still...

>>> 5.1.8.  Querying in parallel
>>> 
>>>  The DNS64 MAY perform the query for the AAAA RR and for the A RR in
>>>  parallel, in order to minimize the delay.  However, this would result
>>>  in performing unnecessary A RR queries in the case where no AAAA RR
>>>  synthesis is required.
>> 
>> Why is this "however" listed in a normative specification?
> 
> Well, I think the entire option for querying in parallel ought not to
> be allowed, on DNS performance grounds, but the web people keep
> insisting that they need this to achieve acceptable speed.  I'm
> willing to tear it out, but I'd actually like to recommend against
> such parallel querying.

No, ok, let it be there.

I am just *personally* very tired of long RFC with lots of text (that you give to programmers and they do not get it).

This document is good in that it have normative and non-normative stuff, and the normative stuff is in reality very small. But one need lots of explanations. Right?

FWIW, I have myself inside Cisco written a DNS64 thing that is shorter regarding "what to do", but have lots of explanations...

Some people that implement stuff does not have to know what to do, and if they really want to, they can read the explanatory stuff.

But, that is also one of my windmills in the IETF that I am fighting.

Shorter documents! Just write what is needed in the normative section. When you can not remove a single word more, you are done.

That said, long explanations, examples and what not.

>> There is nothing in 5.1 (what to do when querying for AAAA records) about the additional or authoritative section.
> 
> No, because that's dealt with in 5.3.  Why should it be in 5.1?

Ok, sorry, confusion...

Let me exaggerate a bit, and show how confusing I find it. I think 5 should be split in 5 and a new section 6. The new section 6 should include the subsections of 5 that today is only "support" to the other subsections. Then titles of the subsections of 5 should be such that one for each case should read one and only one of the sections.

We have:

> 5.1 Resolving AAAA queries and the answer section


Is this for only AAAA queries, or for AAAA queries and answer section for query for any RR Type?

Then we have:

> 5.2. Generation of the IPv6 representations of IPv4 addresses

Is this for AAAA queries, or all queries? We have already walked through how to handle the answer section in 5.1?

And then:

> 5.3. Handling other Resource Records and the Additional Section


What about the Query and Authoritative section? Is this Additional Section for all RR Types, or just non-AAAA RR?

And then:

> 5.4. Assembling a synthesized response to a AAAA query


Is this a subsection of? When should I read this? AAAA query, but that was 5.1, or?

And then last:

> 5.5.  DNSSEC processing: DNS64 in recursive resolver mode

Is this not DNS64 resolver mode in general?

>>> 5.2.  Generation of the IPv6 representations of IPv4 addresses
>> 
>> Should not queries for other RR Types be in 5.2, and this be part of the "synthesizing responses" above, or some other section?
> 
> Why?

Because that is the only case when this does happen?

>>> 5.3.  Handling other Resource Records and the Additional Section
>>> 
>>> 5.3.1.  PTR Resource Record
>>> 
>>>  If a DNS64 server receives a PTR query for a record in the IP6.ARPA
>>>  domain, it MUST strip the IP6.ARPA labels from the QNAME, reverse the
>>>  address portion of the QNAME according to the encoding scheme
>>>  outlined in section 2.5 of [RFC3596], and examine the resulting
>>>  address to see whether its prefix matches any of the locally-
>>>  configured Pref64::/n.
>> 
>> ...or the default well known prefix (that was not to be configured).
> 
> Good catch, thanks.

:-)

>>>  There are two alternatives for a DNS64 server
>> 
>> What about DNS64 resolvers that receive PTR queries?
> 
> Hrm.  Yes, I guess that needs to be "There are two alternatives for DNS64 to. . ."

Thanks.

>>>  2.  The second option is for the DNS64 nameserver to synthesize a
>>>      CNAME mapping the IP6.ARPA namespace to the corresponding IN-
>>>      ADDR.ARPA name.
>> 
>> Is this safe? I.e. it is clear no other RR Type than PTR exists with this owner?
>> 
>> See Apple Bonjour for example.
> 
> I agree.  This option is only there because Mark Andrews insisted it
> be.  I think the whole thing is a bad idea: you should follow option
> 1, which is the only safe response IMO.  But the WG seemed to want
> option 2 as well.

But this is wrong as the PTR might not have a corresponding IN-ADDR.ARPA name. In that case you absolutely must say "....to the corresponding name". Or "...to the corresponding name in IN-ADDR.ARPA if it exists".

Lets say we have:

www.example.com. IN PTR foo.bar.example.

Now we query for that....I think the text must absolutely be so that the PTR in question is not invalid.

>> A query for a PTR record might not have owner in the IP6.ARPA, so 5.3.1 is really for PTR records in the IP6.ARPA domain. What about other PTR queries?
>> 
>> I guess the answer is here:
>> 
>>>  If the address prefix does not match any Pref64::/n, then the DNS64
>>>  server MUST process the query as though it were any other query; i.e.
>>>  a recursive nameserver MUST attempt to resolve the query as though it
>>>  were any other (non-A/AAAA) query, and an authoritative server MUST
>>>  respond authoritatively or with a referral, as appropriate.
> 
> Yes.

Good.

>> No other RR Types need special treatment?
> 
> No other RR types need treatment like PTRs do. 

Good.

>> I.e. the flow is weird here as well in the document. Because other RR Types comes as 5.3.3.
> 
> Do you want us to swap that with 5.3.2?

No. See above. I think I talk about a larger restructuring in the next version of the document.

>>> 5.3.2.  Handling the additional section
>>> 
>>>  DNS64 synthesis MUST NOT be performed on any records in the
>>>  additional section of synthesized answers.  The DNS64 MUST pass the
>>>  additional section unchanged.
>> 
>> The normative part of 5.3.2 should stop here. Remove the rest or move to non-normative section of this document.
> 
> Ok.

Once again. See above. Do not do the change.

>>> 5.4.  Assembling a synthesized response to a AAAA query
>> 
>> Here we have some text on how to do synthesis again?
> 
> No, this is not how to do synthesis.  This is how to assemble the
> response (i.e. the thing you're going to ship back).  The _synthesis_,
> strictly speaking, was just the creation of the AAAA record from the
> A, and that goes into an answer section.  That answer section is now
> one of the pieces assembled to make a DNS response packet.

Ok...

>>> 5.5.  DNSSEC processing: DNS64 in recursive resolver mode
>>> 
>>>  We consider the case where a recursive resolver that is performing
>>>  DNS64 also has a local policy to validate the answers according to
>>>  the procedures outlined in [RFC4035] Section 5.  We call this general
>>>  case vDNS64.
>> 
>> Then this is really:
>> 
>> 5.5. DNSSEC processing: DNS64 in validating recursive resolver
> 
> Oh, good catch.  Thanks.

:-)

>>>  2.  If CD is not set and DO is set, then vDNS64 SHOULD perform
>>>      validation.  Whenever vDNS64 performs validation, it MUST
>>>      validate the negative answer for AAAA queries before proceeding
>>>      to query for A records for the same name, in order to be sure
>>>      that there is not a legitimate AAAA record on the Internet.
>>>      Failing to observe this step would allow an attacker to use DNS64
>>>      as a mechanism to circumvent DNSSEC.  If the negative response
>>>      validates, and the response to the A query validates, then the
>>>      vDNS64 MAY perform synthesis and SHOULD set the AD bit in the
>>>      answer to the client.  This is acceptable, because [RFC4035],
>>>      section 3.2.3 says that the AD bit is set by the name server side
>>>      of a security-aware recursive name server if and only if it
>>>      considers all the RRSets in the Answer and Authority sections to
>>>      be authentic.  In this case, the name server has reason to
>>>      believe the RRSets are all authentic, so it SHOULD set the AD
>>>      bit.  If the data does not validate, the vDNS64 MUST respond with
>>>      RCODE=2 (Server failure).
>>>      A security-aware end point might take the presence of the AD bit
>>>      as an indication that the data is valid, and may pass the DNS
>>>      (and DNSSEC) data to an application.  If the application attempts
>>>      to validate the synthesized data, of course, the validation will
>>>      fail.  One could argue therefore that this approach is not
>>>      desirable, but security aware stub resolvers must not place any
>>>      reliance on data received from resolvers and validated on their
>>>      behalf without certain criteria established by [RFC4035], section
>>>      4.9.3.  An application that wants to perform validation on its
>>>      own should use the CD bit.
>> 
>> Too much discussion. And (for example) last sentence have "should" in lower case. What does that imply?
> 
> It implies that different people have read DNSSECbis and come to
> different conclusions about whether the AD bit means anything.

Hmm...

> Rob
> Austein and some of the other document editors, as well as several
> other people, are sure that the _only_ way to trust the answer is to
> set CD and check yourself.  But one of the largest vendors out there
> seems to have decided that the AD bit is significant and useful.  This
> text was the compromise we were able to come up with.

Ok. Fair.

> I think the "too much discussion" is a suggestion that the second
> paragraph be moved to a non-normative section?  (I'm just trying to be
> sure what you thought was discussion there.)

Or just let it be.

But you are right in general.

>>>  3.  If the CD bit is set and DO is set, then vDNS64 MAY perform
>>>      validation, but MUST NOT perform synthesis.  It MUST return the
>>>      data to the query initiator, just like a regular recursive
>>>      resolver, and depend on the client to do the validation and the
>>>      synthesis itself.
>>>      The disadvantage to this approach is that an end point that is
>>>      translation-oblivious but security-aware and validating will not
>>>      be able to use the DNS64 functionality.  In this case, the end
>>>      point will not have the desired benefit of NAT64.  In effect,
>>>      this strategy means that any end point that wishes to do
>>>      validation in a NAT64 context must be upgraded to be translation-
>>>      aware as well.
>> 
>> (Re)move second paragraph.
> 
> Ok.

Oh, I see...now... Hmm...leave it.

> But you agree with this approach?  This point is in fact exactly
> what the DISCUSS on this draft was about: the document assumes that a
> validating resolver knows how to do DNS64 or else DNS64 just doesn't
> work for that host.  You don't think that's impractical?  (That was
> the question.)

Let me think...you talk about the case when a resolver that has only IPv6 transport want to use a DNS64 service somewhere where the DNS64 is NOT doing the validation? But, there will be RR synthesized by the DNS64 box, so that must do the validation, right?

This actually do work if you have a validating resolver on the inside of a DNS64 box and that resolver is doing DNS64 by itself. Which I think should be possible.

So you can have one DNS64 be validating and use another DNS64 as a forwarder.

Which I think makes sense.

>>> 8.  Security Considerations
>>> 
>>>  DNS64 operates in combination with the DNS, and is therefore subject
>>>  to whatever security considerations are appropriate to the DNS mode
>>>  in which the DNS64 is operating (i.e. authoritative, recursive, or
>>>  stub resolver mode).
>>> 
>>>  DNS64 has the potential to interfere with the functioning of DNSSEC,
>>>  because DNS64 modifies DNS answers, and DNSSEC is designed to detect
>>>  such modification and to treat modified answers as bogus.  See the
>>>  discussion above in Section 3, Section 5.5, and Section 6.2.
>> 
>> It should be noted what might happen if the translator between IPv4 and IPv6 is not in sync with this box.
> 
> You mean, if the DNS64 has the wrong Pref::/64 configured, like?

Yes.

>> Additionally:
>> 
>> There is no text on how to handle the query and additional section of the request/response.
> 
> Sure there is.  Section 5.3.2 explicitly says that you may not muck
> with the additional section, and section 5.4 says you copy the
> question from the original query.  The additional and authority
> sections are similarly copied from the real DNS answer.  Or am I
> missing something you'd like to see?

No, I was missing it. See above.

> Thanks for the review!

Thanks for the pushing...

   paf