[DNSOP] Re: draft-ietf-dnsop-3901bis
Tobias Fiebig <tobias@fiebig.nl> Fri, 15 August 2025 13:16 UTC
Return-Path: <tobias@fiebig.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2AE815479F35 for <dnsop@mail2.ietf.org>; Fri, 15 Aug 2025 06:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yf-25iDqGcPN for <dnsop@mail2.ietf.org>; Fri, 15 Aug 2025 06:16:16 -0700 (PDT)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2464D5479F25 for <dnsop@ietf.org>; Fri, 15 Aug 2025 06:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1755263773; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JWsD6ZBKCo71pw4E/UQbZZeRMqRxEC5PuVUPEFlnNE0=; b=vgIyUFaj8o6A0TxdalONlAPv/dsPNVPuV5aSJrnnK4XXr2VI2x84yJ5WVybjWMwWRH19VK Ed7ifTzTrbc88D/iV6kTrElqn/aIXGRJHD0ySPENXtz+9dtm0gPwXCgi0a9TjK6RMvPcgp gvoUAt0LnVWtX5iYeRQRvrQoEHCoRzNepwEOTkLakXfQKHoiCS+M6l4gUAdKpsbbuNGVTx fuaXi+/1062JKLkH8CJDzDs92uPIaDR/vHy6N0E/4APBJrqdkuOv6iM6Gkypf5ZvyN6/TY A56nu/BQlz6SIWcF4HbYo47ZOgMBN78EHa5FnX11sRGtshsNqF2lt2Tu+a4yiA==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id fb49b8bb (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) auth=yes user=tobias@aperture-labs.org for <dnsop@ietf.org>; Fri, 15 Aug 2025 13:16:13 +0000 (UTC)
Message-ID: <2d2d7880a20aae52d8754c0ed71271da5ac0fbe9.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
To: dnsop@ietf.org
Date: Fri, 15 Aug 2025 15:16:13 +0200
In-Reply-To: <5f8ed59d-e3ac-4415-9f62-e77c418c0420@gmail.com>
References: <f92ed89cf4eac68860c9a45927f20b592ca9a67c.camel@fiebig.nl> <DECC771F-1BDA-46CE-827A-C0CE7399323C@isc.org> <a77e6221e6f2cfe840bc341d212242a4bd315fcf.camel@fiebig.nl> <4A465AC1-2323-4AED-AA0C-9CB56A94CFD8@isc.org> <11B72721-89ED-4BD6-B162-34041B1E55EC@tiesel.net> <5f8ed59d-e3ac-4415-9f62-e77c418c0420@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.56.2
MIME-Version: 1.0
Message-ID-Hash: ODF4PSQGQ7VSQNMDHDWIZWHJTV3NM6GQ
X-Message-ID-Hash: ODF4PSQGQ7VSQNMDHDWIZWHJTV3NM6GQ
X-MailFrom: tobias@fiebig.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: tobias@fiebig.nl
Subject: [DNSOP] Re: draft-ietf-dnsop-3901bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2XjSSbmUSxnfaoBn0PESRwmRktE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Moin, reading the discussion, i seriously believe that this is a viable compromise and the closest we may ever get to consensus on this point. Generally, I also follow your argument. If anyone has strong opinions to the contrary, please speak up (and ideally attach text or send PRs ;-))! With best regards, Tobias On Thu, 2025-08-14 at 08:21 -0700, Tommy Jensen wrote: > > On 8/13/25 14:36, Philipp S. Tiesel wrote: > > > > Hi, > > > > > > > > > > > > On 13. Aug 2025, at 00:25, Mark Andrews <marka@isc.org> wrote: > > > > > > > > > > > > > On 11 Aug 2025, at 20:06, Tobias Fiebig <tobias@fiebig.nl> > > > > wrote: > > > > > > > > Moin, > > > > > > > > On Mon, 2025-08-11 at 19:55 +1000, Mark Andrews wrote: > > > > > > > > > Which only “works” with trivial configurations. > > > > > > > > > > What happens if 2.0.0/24 is reachable out interface A and > > > > > interface B > > > > > is IPv6 only with a PREF64? > > > > > > > > > > > > > Then I'd say that it is covered by the point being made > > > > <bcp14>SHOULD</bcp14> and not <bcp14>MUST</bcp14>. > > > > > > > > > > SHOULD is a cop out. What we are designing SHOULD work > > > everywhere WITHOUT > > > manual intervention. > > > > > > > > > > > > > > I agree SHOULD (making this behavior the default unless some > exception applies) is inappropriate. I think the presented arguments > justify making this an option for resolvers who are aware of their > XLAT situation, but it should be a MAY meaning the default is to > trust the OS stack. > > > > > > > > > > > > > > Translating IP addresses in a DNS server is unnecessary work. It > > > is also > > > a security flaw as you are potentially redirecting DNS queries > > > to places > > > other than where they are intended to go according to the > > > routing table. > > > > > > > > > > > > > > If there are no IPv4 routes, there are no security issues. If > > there are (but no default route) > > > > maybe disabling address synthesis and setting up CLAT is easier, > > but for wich use-cases? > > > > - Recursors on Laptops with split-VPN? > > > > - My chaotic VyOS VPN router at home? > > > > > > This assumes the admin of the DNS resolver is always the same as the > admin of the system. I suggest this isn't true and telling the RFC > readers that the default behavior is to handle address synthesis > instead of trusting their available OS stack seems a heavy ask unless > they want to take that responsibility on (which I agree many will or > even should for perf reasons presented). > > > > > > > > > > > > > > > > > > The ways to configure one's own network are endless. What if > > > > there are > > > > two interfaces each with their own PREF64? What if the second > > > > Interface > > > > only offers reachability for RFC1918? What if the operator has > > > > been > > > > squatting non-RFC1918 space and the 2.0.0.0/24 reachable via > > > > Interface > > > > B is _not_ the one they want to use for DNS resolution? > > > > > > > > > > All the more reason to NOT do this. It’s not something that can > > > be done > > > safely. > > > > > > > > > > > > > > > > It is perfectly safe if you have no IPv4 connectivity and much less > > error-prone than integrating CLAT. > > > > The only drawback of doing address synthesis instead of CLAT is > > that DNS server vendors get additional bug reports for broken > > network setups that should not have enabled address synthesis in > > the first place. > > > > > > > > Again, this assumes the resolver admin has the option of configuring > the OS stack. If they do, they MAY optimize this way, but requiring > them to seems like a leap. > > > > > > > > > > > > > > > > > > I think that all of that is sufficiently covered by > > > > <bcp14>SHOULD</bcp14>. > > > > > > > > However, to make this more clear, we could add text along the > > > > lines of: > > > > > > > > "Specific operational scenarios may differ. As such, it is > > > > <bcp14>RECOMMENDED</bcp14> that implementations offer > > > > configuration > > > > options that allow an operator fine-grained control of > > > > prefixes to > > > > exclude from PREF64 based address synthesis." > > > > > > > > The general point, though, was brought forward to me by > > > > multiple > > > > operators, who are struggling with the current situation, and > > > > would > > > > appreciate the currently sketched solution. > > > > > > > > > > > > > > > > > > Agreed! It should be documented here, just optional and not the > default. > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl Pronouns: he/him/his
- [DNSOP] Re: draft-ietf-dnsop-3901bis Mark Andrews
- [DNSOP] Re: draft-ietf-dnsop-3901bis Tobias Fiebig
- [DNSOP] Re: draft-ietf-dnsop-3901bis Tobias Fiebig
- [DNSOP] Re: draft-ietf-dnsop-3901bis Mark Andrews
- [DNSOP] Re: draft-ietf-dnsop-3901bis Tobias Fiebig
- [DNSOP] Re: draft-ietf-dnsop-3901bis Mark Andrews
- [DNSOP] Re: draft-ietf-dnsop-3901bis Tobias Fiebig
- [DNSOP] Re: draft-ietf-dnsop-3901bis Philipp S. Tiesel
- [DNSOP] Re: draft-ietf-dnsop-3901bis Tommy Jensen