IETF Logo Mail Archive

Re: [DNSOP] [v6ops] WG call for adoption: draft-momoka-v6ops-ipv6-only-resolver-01

Mark Andrews <marka@isc.org> Thu, 06 July 2023 04:48 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11C3AC15199E; Wed, 5 Jul 2023 21:48:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="jilQ2b/R"; dkim=pass (1024-bit key) header.d=isc.org header.b="HLSYEFSJ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JgTwpfWvcYeb; Wed, 5 Jul 2023 21:48:37 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D63DC15106F; Wed, 5 Jul 2023 21:48:36 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id BBD603AB206; Thu, 6 Jul 2023 04:48:36 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org BBD603AB206
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1688618916; cv=none; b=qJvwPcq458yD6tjB4oRnnStzmsLyMegGHP8aEugiz5/0jipJozy67SnZNgVkr4Q43f2xdo3o6ikM5QQrFW4zOab6f0pJ3pNZMJ3FoJuxOkDtN42N3htO4P7ZIqzTlC+vUsE/eKTaF4pcIpoNCkdWWIs/QiwPfYWR5cgnRqrv8GY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1688618916; c=relaxed/relaxed; bh=Y8PfMjctVlQF+KEDXxCTJ7VyjBQcEEjIWmycbAVteoc=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date:To: Message-Id; b=ESZyUR5e057+XibeGWoTqwLUEd9wUDLFCuN5+Db5OtJCr92BzEh12ikYlO3f5ZUvOw4eHoCoMk9iCKazEr0xoC7AVWSwiRgLbXlkxQRSHhTkw2nGRRgENQhQBmMFO9EyuySmxQuS/smrAnr3Za1Fwj98hEzPKFFHIRwRI2MVDiI=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org BBD603AB206
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1688618916; bh=TlFs/yj3OoCwqrfdzEv5U5yEPSvqj7+Nh9eS74r9U/Q=; h=From:Subject:Date:References:To:In-Reply-To; b=jilQ2b/RNyCODXQcfFx1dZR1m1h+ajTzFKhX99gDTczhVAKFcktbepllDZyTd/M2S X4ziLmvcnOYDujnaGCX/eBQRnPyvJu5pRiisZhQBDcgj9KT9D+fK2aGzuOSdFlCNhl N8SviMuphDjkP9cSJ/3+5khcId4h+OgkZJxL0m/A=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id B6A29AC5D4E; Thu, 6 Jul 2023 04:48:36 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 94B83AC5D5E; Thu, 6 Jul 2023 04:48:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 94B83AC5D5E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1688618916; bh=Y8PfMjctVlQF+KEDXxCTJ7VyjBQcEEjIWmycbAVteoc=; h=From:Mime-Version:Date:To:Message-Id; b=HLSYEFSJsS7ww76lCPs+98MMepeYLJ7nda7vKeTZ5eTs+lZfOJhiNCpTjQG1QHnHc TW6D8e4NaKKvGgzGFxu6+TJ+fYB7uMhGVqeNv8nkd3tEJDoFwRHW9FkmRgtCQRN+eU xiAYu/yXGX4WAw+ow6VTAJLMQuPdpvhpTDX9UZVE=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OjAphGUW5jpz; Thu, 6 Jul 2023 04:48:36 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id C7DC0AC5D4E; Thu, 6 Jul 2023 04:48:35 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Thu, 06 Jul 2023 14:48:23 +1000
References: <3aa8a8391e514695a94d21c1f400ea20@huawei.com> <ed3a9be7-1502-2e82-b86e-0dda8954ecac@foobar.org> <b641c65e-1725-ee93-c585-d5d3774d3b21@hit.bme.hu> <8d2c5a73-a041-e88b-3ee9-8a2dd2850639@foobar.org> <CAGB08_ct6xY_neHpLLUXjxku50yM8FGXsSXHLYLXqtL-jXSpvw@mail.gmail.com> <CAD9w2qYYcjy1_K9SvFVSUHdx6Q44LeLq+xMtt_-mfmqn=OAN6g@mail.gmail.com> <CADyWQ+FQ5GZN-5DPH7T+mqHqojCJgCNKWcLTjrnov4Viq69Cqg@mail.gmail.com> <0AD2119D-80CA-4060-97DD-E7F8182809BA@isc.org> <CAPt1N1msMvOe7HbXRSxAPx3kjQ7Q0tgOF+uaCAiyWuzRTQ_NQQ@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>, dnsop <dnsop@ietf.org>, list <v6ops@ietf.org>
In-Reply-To: <CAPt1N1msMvOe7HbXRSxAPx3kjQ7Q0tgOF+uaCAiyWuzRTQ_NQQ@mail.gmail.com>
Message-Id: <2541CB5D-BB67-4E1A-9A39-F03783B7BE79@isc.org>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BgArCX6bsZj4eE3zQpsvM7TMiyk>
Subject: Re: [DNSOP] [v6ops] WG call for adoption: draft-momoka-v6ops-ipv6-only-resolver-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2023 04:48:41 -0000


> On 6 Jul 2023, at 12:32, Ted Lemon <mellon@fugue.com> wrote:
> 
> It’s not a problem to validate before translating if you’re a full service resolver. 

Ted you are missing the point.  It is impossible to *reliably* run a validating client
behind a DNS64 server.  DNS64 uses CD in a manner that is *incompatible* with DNSSEC.
Sure as long as the DNS64 server *always* gets good answers you can “get away with it”
but once you don’t things break.

In DNSSEC
CD=1 is for when the recursive validating resolver has bad time / trust anchors
CD=0 is ensures the cache returns answers that can validate as secure (the server is
supposed to try multiple sources as it is required to “treat as never having arrived”
responses that don’t validate)

“Always send CD=1” is stupid advice.  I tried to prevent it being published in the
first place.

If the DNS64 server happens to lock onto a bad source of data or is losing the race
with spoofed responses the client will never get anything that validates as secure as:
CD=1 the bad data is passed through or returned from the cache.
CD=0 the DNS64 server produces responses that don’t validate.

Anything that further promotes the use of a BROKEN protocol should not be published.

Mark

> Op wo 5 jul 2023 om 21:10 schreef Mark Andrews <marka@isc.org>
> I’ll repeat that it is a bad idea to make this an RFC.  I’m saying this despite adding
> this to named. 
> 
> It is perpetuating DNS64 which does not work with DNSSEC.  It sends the wrong signal
> that DNS64 is a good protocol to deploy when we know that it breaks lots of things.
> 
> The better solution would be to improve the automatic installation of 464XLAT (RFC6877)
> support in nodes.  There is already a RA PREF64 option (RFC8781) to signal that NAT64 is
> available on the network and that works for all applications on the node, not just the
> nameserver.
> 
> Similarly for DS-Lite.
> 
> Linux has https://github.com/toreanderson/clatd
> FreeBSD has 464XLAT support built in since FreeBSD 11.3
> 
> While CLAT is not everywhere there yet it is definitely on the way.
> https://blog.apnic.net/2022/11/21/deploying-ipv6-mostly-access-networks/
> 
> I really don’t know why we are just not saying if you want to run a DNS64 server behind
> a IPv6 only link install CLAT support if it is not already available.
> 
> 
> > On 6 Jul 2023, at 01:12, Tim Wicinski <tjw.ietf@gmail.com> wrote:
> > 
> > Momoka
> > 
> > Thanks for making DNSOP aware of this.  We encourage anyone with comments on the document adoption to reach out.
> > 
> > Everything I've heard and read on this work (wearing no hats) is that this is good work and should be adopted.
> > 
> > thanks
> > tim
> > 
> > 
> > 
> > On Tue, Jul 4, 2023 at 5:15 AM Momoka Yamamoto <momoka.my6@gmail.com> wrote:
> > Dear dnsop wg 
> > cc:v6ops wg
> > 
> > My name is Momoka, the author of the draft-momoka-v6ops-ipv6-only-resolver. This draft, which has already been introduced to the V6OPS Working Group, aims to address a pertinent operational issue: facilitating the transport of query packets from an IPv6-only iterative resolver to an IPv4-only authoritative DNS server.
> > 
> > In light of some suggestions in V6OPS and considering the overlapping interests, I am introducing this draft to the DNSOP Working Group. Its core proposition lies in the mechanics of transporting query packets rather than the alteration of the DNS protocol behavior, but the operational context undoubtedly makes this draft relevant to both groups.
> > 
> > Here are links to the draft and the ongoing discussions in V6OPS:
> > 
> > 1. Draft: https://datatracker.ietf.org/doc/draft-momoka-v6ops-ipv6-only-resolver/
> > 2. V6OPS Thread: https://mailarchive.ietf.org/arch/msg/v6ops/uNrPNbeUtA_D0xzqLfq5dNQ85OY/
> > 
> > 
> > Currently, there is an adoption call in V6OPS for this draft set to end on July 10, 2023. Your opinion, input, and suggestions will be highly valued as we explore and progress this topic. I look forward to fruitful and enlightening discussions.
> > 
> > Best regards,
> > 
> > Momoka Yamamoto
> > momoka.my6@gmail.com
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.34.0 | Report a Bug | By Email | System Status