Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
Ted Lemon <mellon@fugue.com> Tue, 19 June 2018 01:36 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65A72131000 for <dnsop@ietfa.amsl.com>; Mon, 18 Jun 2018 18:36:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpRFtWoPbDzR for <dnsop@ietfa.amsl.com>; Mon, 18 Jun 2018 18:36:03 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFB21130FDC for <dnsop@ietf.org>; Mon, 18 Jun 2018 18:36:02 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id g22-v6so18623645iob.7 for <dnsop@ietf.org>; Mon, 18 Jun 2018 18:36:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BL7dz2uJoEIGnKNtzkAMGKNe3XwBGQEKXiJ3m15Z9BY=; b=ChHFyI26cbu0Or0MX4sEVd5zsoCWxI2SL5BffeMu8pVjniYMNOUzLTiqPkOaBD5zQt 7v57wexO7BsN5v+FoL4LR6AmHycTuM/dbe0B2g2lMm/ETYfZ6HTYrymox7FbNTAqWhVh k+xjI7Y8cUOVW1qflbKbrlRJh1LFh5Jszp4rKJF/IdpBgBfs/10qYVWQUFfAUxzGzehy apXcG+rLjPpA1BQRSaG7E1cobpMKoAxOTOabBqelBI/D7K0CHo7xjF8+b3gyzqGiN3pH l6NDQRHnhropyfDiJ/hKixCf7OtQ6sBguuucl/kdZiGd5GH3o5t9EA8dTrzK6V9KMHZH zVxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BL7dz2uJoEIGnKNtzkAMGKNe3XwBGQEKXiJ3m15Z9BY=; b=TKmieuVJqdulk1FJI869NjrzOm3+/f2LakI+FX49C6Wqk525Z1Ce8RkKDJpVXI/MQD 0NGwWXJ+PaIffcvL0X1nIteZgY4MXbTPLXTA9XhojrgrQolK41xSHxq+GLTwO+DeaYsg sw+Sh6oMVQGh/p8KH+0GbO/Ts8PdRxbCi2pvzMICUEs76d94CSpCqmGaRNRd8QquUv1E 4iHy6J37YXzVK8HdPpt2oQ3/dIkEGL/WIIiBt9lLj6WOAI4SqWSdXRLFDTzppl+PrktZ Tg6OHKOGhycOK3fmNMM7xKoWVxzYCc0HTxxNIUyL6RU88t/T1xu6KS2r4eBIP+rO+pyt b3AQ==
X-Gm-Message-State: APt69E0FBegImFt1BL/A7f2a9PqCxr6oeKOOYSN7UmGT/BMp0vFcFYTK 11k7M9qFVAzfbwhMdFMT1aUYx6IL8PQfbtzMSR6a9A==
X-Google-Smtp-Source: ADUXVKICymgh4nL6Aqzl9GrAlpTWFedZBldgtua1ay3AiskvDlOayyIaI3q9UQkLrgZsQHWAJDcXA+1PLk/Y5S4TIVo=
X-Received: by 2002:a6b:9156:: with SMTP id t83-v6mr12509779iod.32.1529372162097; Mon, 18 Jun 2018 18:36:02 -0700 (PDT)
MIME-Version: 1.0
References: <rt-4.2.9-2607-1515188710-296.989438-6-0@icann.org> <FAA35F1A-9AD4-4993-9A5C-53A6143B9DE7@isc.org> <43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com> <DE670372-BF0E-4A81-8DB3-6CC2595B7D8E@isc.org> <CAHw9_iKBiWe4-EgMkT6_rYHDS0QLjbaZ1BYAsg3XkF2368g+rg@mail.gmail.com> <A9DBE612-8260-45D6-9693-6ABA2628CE80@apple.com>
In-Reply-To: <A9DBE612-8260-45D6-9693-6ABA2628CE80@apple.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 18 Jun 2018 21:35:51 -0400
Message-ID: <CAPt1N1mzNa5i42-ATH_1wOq5qoexKTy6qK2vZOo2ipvjYb2axQ@mail.gmail.com>
To: David Schinazi <dschinazi@apple.com>
Cc: IPv6 Operations <v6ops@ietf.org>, Mark Andrews <marka@isc.org>, Michelle Cotton via RT <iana-questions@iana.org>, Stuart Cheshire <cheshire@apple.com>, Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000739aba056ef4b4f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W_bIZ0ndjzZPpKj7KiijeIzWayI>
Subject: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2018 01:36:08 -0000
You should steal the text from the dot home RFC. On Mon, Jun 18, 2018 at 9:30 PM David Schinazi <dschinazi@apple.com> wrote: > Hi, responses inline. > > On Tue, Jun 12, 2018 at 11:16 PM Mark Andrews <marka@isc.org> wrote: > >> >> This does not meet my requirements. There is zero need for any part of >> the normal DNS resolution > > process to know the IPV4ONLY.ARPA is special if IANA stopped signing the >> zone. > > > Could you take a look at draft-cheshire-sudn-ipv4only-dot-arpa please? It > explains why some parts of the DNS resolution process do need to treat > ipv4only.arpa as special, regardless of DNSSEC. > > On Jun 13, 2018, at 19:19, Warren Kumari <warren@kumari.net> wrote: > > > I read that a few times, and even when squinting I cannot figure out how > that is supposed to work. Can someone enlighten me? I can see how a signed > ipv4only.arpa allows a validating DNS64 server to validate the (well > known!) v4 addresses, but the malicious AAAA RR detection bit confuses me... > > > I agree, there is no point in signing the A records for ipv4only.arpa > since they are well-known, and for the same reason there is no point in > checking it. So having A records signed or unsigned is irrelevant since no > one should be querying for these A records anyway. Similarly, since the > whole purpose of the AAAA records for ipv4only.arpa is to be overridden by > a DNS64 recursive resolver which is not owned by .arpa, checking signatures > will not validate anything useful. > > I agree with Mark's point that queries will fail when the client is behind > a validating resolver that has no special knowledge of ipv4only.arpa. > > To resolve this, we'll update draft-cheshire-sudn-ipv4only-dot-arpa to > mention that ipv4only.arpa MUST NOT be signed. > > Thanks, > David > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Warren Kumari
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… JORDI PALET MARTINEZ
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Philip Homburg
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- [DNSOP] Fwd: [IANA #989438] ipv4only.arpa's deleg… Mark Andrews