Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
Philip Homburg <pch-v6ops-8@u-1.phicoh.com> Wed, 13 June 2018 10:13 UTC
Return-Path: <pch-bCE2691D2@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8BCB1130E32;
Wed, 13 Jun 2018 03:13:13 -0700 (PDT)
X-Quarantine-ID: <4niX1e836TMZ>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "Cc"
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4niX1e836TMZ; Wed, 13 Jun 2018 03:13:09 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net
[IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 72C0E130E14;
Wed, 13 Jun 2018 03:13:08 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by
stereo.hq.phicoh.net with esmtp
(TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384)
(Smail #157) id m1fT2lY-0000IHC; Wed, 13 Jun 2018 12:12:36 +0200
Message-Id: <m1fT2lY-0000IHC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
Cc: David Schinazi <dschinazi@apple.com>
Cc: Mark Andrews <marka@isc.org>, Stuart Cheshire <cheshire@apple.com>,
Michelle Cotton via RT <iana-questions@iana.org>, dnsop <dnsop@ietf.org>
From: Philip Homburg <pch-v6ops-8@u-1.phicoh.com>
Sender: pch-bCE2691D2@u-1.phicoh.com
References: <rt-4.2.9-2607-1515188710-296.989438-6-0@icann.org>
<FAA35F1A-9AD4-4993-9A5C-53A6143B9DE7@isc.org>
<43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com>
In-reply-to: Your message of "Tue, 12 Jun 2018 19:28:16 -0700 ."
<43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com>
Date: Wed, 13 Jun 2018 12:12:28 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QFGqlvNDxSHGIisj2ghXRJlf47I>
Subject: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation
should be insecure.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
<mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 10:13:14 -0000
>https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa
><https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa>
>From Section 6.2:
3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa'
as special and MUST give it special treatment. Regardless of any
manual client DNS configuration, DNS overrides configured by VPN
client software, or any other mechanisms that influence the
choice of the client's recursive resolver address(es) (including
client devices that run their own local recursive resolver and
use the loopback address as their configured recursive resolver
address) all queries for 'ipv4only.arpa' and any subdomains of
that name MUST be sent to the recursive resolver learned from the
network via IPv6 Router Advertisement Options for DNS
Configuration [RFC6106] or via DNS Configuration options for
DHCPv6 [RFC3646].
First we introduce ipv4only.arpa as a hack to avoid creating/deploying a
suitable mechanism to communicate the NAT64 translation prefix. That's fine
with me.
But when that hack then requires changes to every possible DNS stub resolver
implementation in the world, there is something seriously wrong.
So if this in indeeed required to make RFC7050 work then it is better to
formally deprecate RFC7050 and focus on other ways to discover the
translation prefix.
It seems that at least one already exists (RFC7225) so not much is lost.
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Warren Kumari
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… JORDI PALET MARTINEZ
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Philip Homburg
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- [DNSOP] Fwd: [IANA #989438] ipv4only.arpa's deleg… Mark Andrews