[DNSOP] FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure

Dan York <york@isoc.org> Mon, 05 November 2018 02:40 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47571126BED for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 18:40:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BcWfoZ2Scbx for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 18:40:36 -0800 (PST)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730073.outbound.protection.outlook.com [40.107.73.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4D4127148 for <dnsop@ietf.org>; Sun, 4 Nov 2018 18:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZXk/3SxjNPhncVVH90NTcuekbWg1/nTOkEVf287pNw=; b=fpwjsJXaAX7njHXp1QvFMhEHwXAMRFX9j7JkPAc5ciQr6xGsXVZd5sjn3A+jQk8U46sIa+iB8EX8YFsI0yBoYDXr1vkUTIE4hapb8ZqQ8E8DKeis0Rt+QmApKOrcIvH0APg8emhyux7QYfzqqNPxEaH8JbGoVL0D5DXr34gGujY=
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com (10.161.210.139) by BN3PR0601MB1431.namprd06.prod.outlook.com (10.163.40.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.21; Mon, 5 Nov 2018 02:40:32 +0000
Received: from BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba]) by BN3PR0601MB1314.namprd06.prod.outlook.com ([fe80::6ddc:e11:56b8:b6ba%9]) with mapi id 15.20.1273.033; Mon, 5 Nov 2018 02:40:31 +0000
From: Dan York <york@isoc.org>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure
Thread-Index: AQHUdLDrA7aOmxQ9zEyX43ID7t4NJg==
Date: Mon, 5 Nov 2018 02:40:30 +0000
Message-ID: <7FB468A6-8BF0-43CF-80FF-45E4559E7FC7@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-originating-ip: [2001:67c:370:128:7d87:8010:f88e:c359]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0601MB1431; 6:mKy/d1he1w3xnQmUWc33t/FVlVMDVIGQVLYiCNwesucXwdHEM8Gd+C9O6exnOmMJPKEs5MDCBDc4SUqudprtFrhmHQhvBFmKP8HbK+QTsJQqs82Sm0UqrW0Ld7Y7uKgMA4UKKH4bsdg27Usfiay20YiKpyF57scI731NAYKIXfe3ekwULEkSzJyIQkUGqsuPhGP5xe+OzLSOvmYe1VlqRe/43auquLNOEr05caV3Ru6BwkT6SCob8ChGjQu9d6MGcV5IoGguwnPQvyw7VWAnTXOOu0ynZtRYfLAWBXBWnqMZjOkX9pmhfjjN9k2hacmUjXHQClTNDHsmujlHIuq4OSW9m3gXVglI2wRh6pI9+DBv7UpGACSolJ4AaFXpKKPmTZ4/2jtQb3LmuF33DozhbKmoyBgYwXqSa+OW3w8pcWL4yZB7CKcZJL73FD8zJKjW5scqjHm7puygcwH5ItU/rg==; 5:iItAQ16NeAeM0/V+VW5mGGJ6q8fvFCWKLhC5Njci9bUIa8FhjelstVejkGigCxqv+TR/7W/exjv0yQm67QB+Xh9/L/++MlTRb7aM2tlE+WX7bZR/h5mWfxEGW72HahluJCWhlRJhinFUzqqalKGsHYMdzmB6owzFlw7YcEOf3vc=; 7:l5Q4Pj/WMFrlI6jujQH2gSc4/F4x/D+2WLsUBwRGzn1Yp5EDqeCcLWmbSZis8Pxa0dWzt6IypWavEkityoxOjIiPTJWnKaOt4Zd30yEGESq8wwef/s45sI1oEvUw2cHnKTy4jXW1ihH0Q/86/dZdsw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 85b285d8-42fe-4a25-ac74-08d642c80dc6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN3PR0601MB1431;
x-ms-traffictypediagnostic: BN3PR0601MB1431:
x-microsoft-antispam-prvs: <BN3PR0601MB1431F4E4DE5E864858D65620B7CA0@BN3PR0601MB1431.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(31418570063057);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(4983020)(4982022)(52105095)(93006095)(93001095)(10201501046)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:BN3PR0601MB1431; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0601MB1431;
x-forefront-prvs: 08476BC6EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(396003)(136003)(376002)(39840400004)(69234005)(199004)(189003)(25786009)(606006)(102836004)(486006)(476003)(2616005)(7736002)(33656002)(82746002)(97736004)(5660300001)(36756003)(236005)(6306002)(53936002)(53376002)(6512007)(54896002)(6506007)(14444005)(186003)(256004)(6116002)(46003)(2900100001)(99936001)(966005)(14454004)(2906002)(6436002)(6486002)(99286004)(8676002)(81166006)(81156014)(316002)(8936002)(83716004)(68736007)(106356001)(86362001)(478600001)(6916009)(105586002)(71200400001)(71190400001)(32563001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR0601MB1431; H:BN3PR0601MB1314.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: bl4nwEwvgJ3OLOQMa0Te4m8w2IMRFtzGegB38DCcN82z5y6MH05ixuYXVfPlGqk0yik28q8K6SRhszNW+cS0dpbWet2mezwsWacWVb/H0gdNluTgQgnKfSL0CaNFoSnUCZDn8CQUpZDjyyXWc2JCF8c06KDFc9FDadRbYm9uH3qVa9bnszPlZF0PXdkI92OLGu0M2d9yz2JrMuC89E0FKFfBfNMlq7P4usZuo/r74gx+LLxNd3pTzzUxGEgOVK+Y+gMlCjOYEPtOY3hf1lgtWKX9ZugWg2i1zJXSh79I6p4/5GPuNUk7ZcR4cISa/nMa0NaJgtjQnTgr8RTRQEbKGtu24KgOTFmJFOLce/jta2I=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_2138B970-A2E0-406C-8ECA-5FF52129B942"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 85b285d8-42fe-4a25-ac74-08d642c80dc6
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2018 02:40:31.0249 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0601MB1431
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0BQdx4qqVHU_UwavcvBfwJdwx1E>
Subject: [DNSOP] FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 02:40:39 -0000

FYI, in the v6ops working group right now in Meeting 1 on the 7th floor, there is a draft that will be discussed (after two other drafts are discussed) that is:

IPv6-Ready DNS/DNSSSEC Infrastructure

https://tools.ietf.org/html/draft-bp-v6ops-ipv6-ready-dns-dnssec-00 <https://tools.ietf.org/html/draft-bp-v6ops-ipv6-ready-dns-dnssec-00>

Abstract:

   This document defines the timing for implementing a worldwide
   IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate the
   global IPv6-only deployment.

   A key issue for this, is the need for a global support of DNSSEC and
   DNS64, which in some scenarios do not work well together.  This
   document states that any DNSSEC signed resources records should
   include a native IPv6 resource record as the most complete and
   expedient path to solve any deployment conflict with DNS64 and DNSSEC.

Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-v6ops-ipv6-ready-dnsdnssec-infrastructure-00 <https://datatracker.ietf.org/meeting/103/materials/slides-103-v6ops-ipv6-ready-dnsdnssec-infrastructure-00>

The key point is the conflict between DNS64 and DNSSEC, as described in the draft here:

    DNS64 ([RFC6147]) is a widely deployed technology allowing hundreds
   of millions of IPv6-only hosts/networks to reach IPv4-only resources.
   DNSSEC is a technology used to validate the authenticity of
   information in the DNS, however, as DNS64 ([RFC6147]) modifies DNS
   answers and DNSSEC is designed to detect such modifications, DNS64
   ([RFC6147]) can break DNSSEC in some circumstances.

I'm passing it along in case others were, like me, not paying attention to this draft.

Dan

--
Dan York
Director, Content & Web Strategy, Internet Society
york@isoc.org <mailto:york@isoc.org>   +1-802-735-1624 
Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org>  Skype: danyork   http://twitter.com/danyork <http://twitter.com/danyork>

http://www.internetsociety.org/ <http://www.internetsociety.org/>