IETF Logo Mail Archive

Re: [DNSOP] AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Sat, 07 July 2018 11:51 UTC

Return-Path: <prvs=1726381e16=jordi.palet@consulintel.es>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F56D130E05 for <dnsop@ietfa.amsl.com>; Sat, 7 Jul 2018 04:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vSlUwz2otMF for <dnsop@ietfa.amsl.com>; Sat, 7 Jul 2018 04:51:07 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E433130DC5 for <dnsop@ietf.org>; Sat, 7 Jul 2018 04:51:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1530964264; x=1531569064; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type; bh=mLrU6LHdyrnVjVi7i4FTOiYDbIOBap6zKm Gp3SCnMtU=; b=s9OZIQlgtz4hRTIylP3dij2otp+yGM7BA5i7R6/D2Ed6SCYa2s IPNhcaR1MKWA9LUzpxXst/APrCx5qKNDpZ/palbhfzM3kvDAO//K6ECojyKbgVKF IxVOA9qU6kctmZY7PouAhLtqVA/wp6emJVPSwM6geRQHCAzmjjwanXuEI=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Sat, 07 Jul 2018 13:51:04 +0200
X-Spam-Processed: mail.consulintel.es, Sat, 07 Jul 2018 13:51:02 +0200
Received: from [10.10.10.99] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005807966.msg for <dnsop@ietf.org>; Sat, 07 Jul 2018 13:51:00 +0200
X-MDRemoteIP: 2001:470:1f09:495:d455:dcec:2858:94d5
X-MDHelo: [10.10.10.99]
X-MDArrival-Date: Sat, 07 Jul 2018 13:51:00 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1726381e16=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: dnsop@ietf.org
User-Agent: Microsoft-MacOutlook/10.e.1.180613
Date: Sat, 07 Jul 2018 13:50:59 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>
Message-ID: <110F5073-B0BE-4DE0-AC68-F7D2BC3479EF@consulintel.es>
Thread-Topic: [DNSOP] AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa
References: <CAHw9_iK605yw--xE0NutaF=r+MfmmT2cBj9eNnSOh4Swkx=_QQ@mail.gmail.com>
In-Reply-To: <CAHw9_iK605yw--xE0NutaF=r+MfmmT2cBj9eNnSOh4Swkx=_QQ@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3613816259_1921160357"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Eyl59gntBH0Yxm--ddidGrdduOs>
Subject: Re: [DNSOP] AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2018 11:51:10 -0000

Hi Warren,

 

I agree this is needed, as RFC7050 is widely implemented, even in the case of RFC8305 for allowing a somehow “equivalent” functionality as the CLAT for literal addresses.

 

For the same reasons this document mention, in draft-ietf-v6ops-nat64-deployment, I have:

 

   The learning of the IPv6 prefix could be solved by means of adding

   the relevant AAAA records to the ipv4only.arpa. zone of the service

   provider recursive servers, i.e., if using the WKP (64:ff9b::/96):

               ipv4only.arpa.  SOA     . . 0 0 0 0 0

               ipv4only.arpa.  NS      .

               ipv4only.arpa.  AAAA    64:ff9b::192.0.0.170

               ipv4only.arpa.  AAAA    64:ff9b::192.0.0.171

               ipv4only.arpa.  A       192.0.0.170

               ipv4only.arpa.  A       192.0.0.171

 

and:

8. IANA Considerations

This document does not have any new specific IANA considerations.

Note: This section is assuming that https://www.rfc-editor.org/errata/eid5152 is resolved, otherwise, this section may include the required text to resolve the issue.

 

So I support this.

 

I wonder if we should ask DNSOP WG to reconsider this as a WG document and proceed the normal way.


Regards,

Jordi

 

 

 

De: DNSOP <dnsop-bounces@ietf.org> en nombre de Warren Kumari <warren@kumari.net>
Fecha: miércoles, 4 de julio de 2018, 22:27
Para: dnsop <dnsop@ietf.org>
Asunto: [DNSOP] AD sponsoring draft-cheshire-sudn-ipv4only-dot-arpa

 

Dear DNSOP,

Stuart Cheshire & David Schinazi have asked me to AD sponsor the draft-cheshire-sudn-ipv4only-dot-arpa document

​[0]​

.

>From the document:
"The specification for how a client discovers its network's NAT64 prefix [RFC7050] defines the special name 'ipv4only.arpa' for this purpose, but declares it to be a non-special name in that specification Domain Name Reservation Considerations section.
Consequently, despite the well articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry as a name with special properties.
This document formally declares the actual special properties of the name, and adds similar declarations for the corresponding reverse mapping names."

RFC7050 ("Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis") is worth reading before reading this. If you are mainly a DNS person, 

​this may be...surprising.



When reading draft-cheshire-sudn-ipv4only-dot-arpa there are a few things 

​worth

 keeping in mind:

1: This is a fairly specialized function - it is used by NAT64 clients to discover the prefix used for synthesis ("normal" people / applications never need to resolve this). The main people who will deal with this are mobile / stack vendors, and NAT64 providers.
2: RFC7050 has a large amount of text around DNSSEC, what to do with DNSSEC, etc. Note that this DNSSEC is for the FQDN of the *NAT64 device*, not the ipv4only.arpa name.
3: Devices use this mechanism to discover the IPv6 prefix used for IPv6 address synthesis - different interfaces (e.g cellular and wifi) will have different prefixes. This means that clients
must

​ ​

do this query using the resolver learned on / appropriate for that interface. This is the main bit which is weird for a DNS person - the response from the resolver for your cellular interface connected to T-Mobile contains T-Mobile's NAT64 prefix; the response from the resolver learnt over your wifi connection to the IETF network contains the NAT64 prefix you use on the IETF network. DNS isn't really being used here for resolving names, rather DNS is being used a signalling mechanism (a rude t-shirt springs to mind here). 

What this draft does is:
1: record this in

​ ​

the SUDN registry; RFC7050 answered the RFC6761 questions, but didn't actually ask the IANA to update the registry.
2: requests that the IANA make ipv4only.arpa be an insecure delegation (see #2 above) - 

​this removes some special handling and complexity.​


3: specifies that you have to use the resolvers learn on an interface for these queries. The whole purpose of these queries is to learn the *local* NAT64 prefix - asking a public recursive isn't going to help you here.
4: This is under .arpa (and is already in wide use) - it doesn't have the sticky policy problems that many SUD names have.

I've 

​agreed

 to AD sponsor this, but would really appreciate your review and input. RFC7050 is deployed - this improves / clarifies things.

1: The authors have previously presented this document at DNSOP meetings - there was some discussion, but no real interest in adopting or shouts of outrage about it.
2: I've asked the DNSOP chairs if I can use the DNSOP list for discussion of this

​ ​

(and they agreed)
3: This was originally a product of the (now closed) BEHAVE WG - I've spoken with Spencer (the BEHAVE AD) who has no objections.
4: I've asked the IESG and there were no objections either.
5: As this touches .arpa I'm also asking the IAB for input.
6: Dave Thaler (who was the document shepherd for RFC7050) has kindly agreed to be shepherd for this document too.

W

[0]: note that they asked this before the current "ipv4only.arpa's delegation should be insecure." thread - https://mailarchive.ietf.org/arch/msg/dnsop/zbcQhok-dCE8kh6C6KofBL1tAXY

--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email