Re: [dnsop] WGLC for draft-huston-6to4-reverse-dns-04.txt
Pekka Savola <pekkas@netcore.fi> Mon, 20 March 2006 02:03 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FL9k8-0000gu-Ga for dnsop-archive@lists.ietf.org; Sun, 19 Mar 2006 21:03:36 -0500
Received: from mailapps.uoregon.edu ([128.223.142.45]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FL9k8-0004YN-1t for dnsop-archive@lists.ietf.org; Sun, 19 Mar 2006 21:03:36 -0500
Received: from mailapps.uoregon.edu (IDENT:U2FsdGVkX1/vLBz+C978Jru88LzDSCN/+lF59JhfVks@localhost [127.0.0.1]) by mailapps.uoregon.edu (8.13.5/8.13.5) with ESMTP id k2K1O7cA008314; Sun, 19 Mar 2006 17:24:07 -0800
Received: (from majordom@localhost) by mailapps.uoregon.edu (8.13.5/8.13.5/Submit) id k2K1O6sc008313; Sun, 19 Mar 2006 17:24:06 -0800
Received: from netcore.fi (netcore.fi [193.94.160.1]) by mailapps.uoregon.edu (8.13.5/8.13.5) with ESMTP id k2K1O5Fd008308 for <dnsop@lists.uoregon.edu>; Sun, 19 Mar 2006 17:24:06 -0800
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.12.8/8.12.8) with ESMTP id k2K1O1Ha008429; Mon, 20 Mar 2006 03:24:02 +0200
Received: from localhost (pekkas@localhost) by netcore.fi (8.12.8/8.12.8/Submit) with ESMTP id k2K1O1DU008426; Mon, 20 Mar 2006 03:24:01 +0200
Date: Mon, 20 Mar 2006 03:24:01 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Peter Koch <pk@denic.de>
cc: IETF DNSOP WG <dnsop@lists.uoregon.edu>
Subject: Re: [dnsop] WGLC for draft-huston-6to4-reverse-dns-04.txt
In-Reply-To: <20060309193624.GF1164@unknown.office.denic.de>
Message-ID: <Pine.LNX.4.64.0603200318220.7448@netcore.fi>
References: <20060309193624.GF1164@unknown.office.denic.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.88/1342/Sun Mar 19 13:40:32 2006 on mailapps
X-Virus-Scanned: ClamAV 0.88/1338/Sun Mar 19 02:04:12 2006 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_20 autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on otso.netcore.fi
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5d7a7e767f20255fce80fa0b77fb2433
On Thu, 9 Mar 2006, Peter Koch wrote: > Please send comments and statements of support or objection to the > WG mailing list. We'd like to ask for at least five substantive reviews. I support the spec. I have three bigger issues with the doc, described below but easily fixable, as well as a couple of editorial comments. 1) "password-based authentication deployed but not documented" 2) "is it OK to have all the DNS servers at the 6to4 site?" 3) "ability for upstream to block 6to4 delegations is inappropriate" In addition, there is more of a meta-question raised by Mark Andrews. In my opinion, the real issue is whether the whether this solves the problem for sufficiently large/interesting subset of 6to4 users or whether we need something else instead or in addition. substantial ----------- 1) "password-based authentication deployed but not documented" The delegation system is proposed to be self-driven by clients residing within 6to4 networks. The server's delegation function is proposed to be accessible only by clients using 6to4 IPv6 source addresses, and the only delegation that can be managed is that corresponding to the /48 prefix of the IPv6 source address of the client. ==> the latter sentence does not match the service as implemented today. It's possible to access the delegation function by optional password authentication. I'd suggest one of the following, with personal bias towards either of the first two: a) describe the auth service as well (I'd like security folks review it), b) remove the auth service from the implementation, or c) massage the text a bit so that it doesn't imply normativeness (".. additional authentication methods may be used as necessary..") 2) "is it OK to have all the DNS servers at the 6to4 site?" The delegation servers are checked by the delegation manager to ensure that they are responding, that they are configured consistently and are authoritative for the delegated domain. (also a bit later..) ==> is it OK that all the auth servers are under the same 6to4 prefix (but different IPs)? This seems something that should probably be checked and prohibited, as if one server would go down, the other would also likely do so... 3) "ability for upstream to block 6to4 delegations is inappropriate" There may be circumstances with an IPv4 address controller wishes to "block" the ability for "children" to use this 6to4 scheme. Scenarios that would motivate this concern would include situations when the IPv4 provider is also offering an IPv6 service, and native IPv6 should be deployed instead of 6to4. In such circumstances the 2002 zone operator should allow for such a delegation blocking function upon application to the delegation zone operator. ==> I believe this doesn't make sense on various levels. First of all, the operators shouldn't be in the business of specifying what their users can or can't do: if they wish to block 6to4, they can just put in ACL to block proto-41 (or appropriate portions of it) -- there is nothing needed in the delegation system to provide additional capabilities for this. Additionally, it's perfectly valid scenario to run 6to4 as an optimization mechanism (see RFC3956 for details), on the side with native addressing. This could block reverse DNS delegations in such cases. In short, the whole paragraph should be removed as unnecessary and even harmful. editorial --------- domain. The client is primarily authenticated by it's source address ==> s/it's/its/ This address structure allows any site that is connected to the IPv4 Internet the ability to use IPv6 via automatically created IPv6 over IPv4 tunnels. ==> "any site" is not accurate as the site is required to have a public v4 address; minor reword.. The zone files containing the end site delegations are proposed to be operated with a TTL (configured to be a time value in the scale of hours rather than days or weeks), and updates from delegation requests are to be made using incremental DNS updates [RFC2136]. ==> it may be worth spelling out that you're talking about DNS updates between the web interface and authoritative servers; the clients don't perform any DNS updates. o IPv4 DHCP-based 6to4 sites could inherit nonsense reverse entries created by previous users of the DHCP address. In this case the client site could request delegation of the reverse zone as required. ==> it may be worth adding a forward pointer to the periodic cleanup check, which should mitigate this problem a bit. 7. References ==> rename this to Informative References and maybe put RFC3056 under normative references. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- Re: [dnsop] WGLC for draft-huston-6to4-reverse-dn… Mark Andrews
- [dnsop] WGLC for draft-huston-6to4-reverse-dns-04… Peter Koch
- [dnsop] Re: WGLC for draft-huston-6to4-reverse-dn… Pekka Savola
- Re: [dnsop] WGLC for draft-huston-6to4-reverse-dn… Pekka Savola
- Re: [dnsop] WGLC for draft-huston-6to4-reverse-dn… Geoff Huston
- [dnsop] Re: WGLC for draft-huston-6to4-reverse-dn… Peter Koch
- Re: [dnsop] WGLC for draft-huston-6to4-reverse-dn… Olaf M. Kolkman
- [dnsop] Re: WGLC for draft-huston-6to4-reverse-dn… Peter Koch