IETF Logo Mail Archive

Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?

Ted Lemon <Ted.Lemon@nominum.com> Tue, 09 July 2013 14:17 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dns-dir@ietfa.amsl.com
Delivered-To: dns-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2378721F9EBE for <dns-dir@ietfa.amsl.com>; Tue, 9 Jul 2013 07:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPV7agUexO3J for <dns-dir@ietfa.amsl.com>; Tue, 9 Jul 2013 07:17:40 -0700 (PDT)
Received: from exprod7og118.obsmtp.com (exprod7og118.obsmtp.com [64.18.2.8]) by ietfa.amsl.com (Postfix) with ESMTP id 58DC721F9EA8 for <dns-dir@ietf.org>; Tue, 9 Jul 2013 07:17:40 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob118.postini.com ([64.18.6.12]) with SMTP ID DSNKUdwbhMERFTaGoNzS5PLxIhaKt08z5Xvd@postini.com; Tue, 09 Jul 2013 07:17:40 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 049E21B81AC for <dns-dir@ietf.org>; Tue, 9 Jul 2013 07:17:40 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id F1067190052; Tue, 9 Jul 2013 07:17:39 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-01.WIN.NOMINUM.COM ([64.89.228.131]) with mapi id 14.02.0318.004; Tue, 9 Jul 2013 07:17:39 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Mark Townsley <mark@townsley.net>
Thread-Topic: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
Thread-Index: AQHOeamUmjzjt8mrPkqzsdRgwvoIYplc2JkAgAAHjQA=
Date: Tue, 09 Jul 2013 14:17:39 +0000
Message-ID: <8D23D4052ABE7A4490E77B1A012B630775206126@mbx-01.win.nominum.com>
References: <8D23D4052ABE7A4490E77B1A012B630775200A1E@mbx-01.win.nominum.com> <7ACC4C2E-3D83-41D9-8794-AF2D9DE04701@townsley.net>
In-Reply-To: <7ACC4C2E-3D83-41D9-8794-AF2D9DE04701@townsley.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <352F3C2B32AD62439F567CACBA4274A5@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dns-dir@ietf.org" <dns-dir@ietf.org>
Subject: Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 14:17:47 -0000

On Jul 9, 2013, at 9:50 AM, Mark Townsley <mark@townsley.net> wrote:
> Safe in what sense? Are there security dangers in it?

It certainly breaks DNSSEC.   Silently ignoring queries on a name can lead to long timeouts.   They were going to return NXDOMAIN, which would have been really exciting, but they at least agreed to take that out.

> I can state a lot of reasons why I don't *like* it:
> 
> - Please just deploy IPv6 instead
> - Users that want to get around this, can (8.8.8.8)
> - Inconsistency in DNS is hard to diagnose, troubleshoot, etc....

Actually I think they want to also intercept DNS queries at the firewall, so querying against google's name service wouldn't work.

> That said, 6to4 and Teredo are as rampant as they are broken. Perhaps the focus should be on ridding these from codebases entirely rather than pussyfooting around about it as we have in the past. 

Breaking 6to4 and Teredo at the enterprise firewall is pretty easy.   This is a document about how to run enterprise networks where you aren't doing IPv6.   Personally I think it's bad because it encourages enterprises to postpone upgrading to IPv6, when in fact enterprises are one of the easiest places in the world to do IPv6, and there are substantial benefits to switching.   But my main concern about this document is that it will be read as the IETF generally supporting the techniques it describes, even though the introduction says it's specifically for corporate environments.

So if there is something about the paragraph I quoted that would cause genuine breakage, but that I have missed, that's what I'm hoping someone will tell me.   The paragraph gives me an uneasy feeling, but having gotten rid of the NXDOMAIN bug, there is nothing specific that I can point to, with my limited operational experience, as being clearly broken.

v2.23.0 | Report a Bug | By Email