[DNSOP] FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure

Dan York <york@isoc.org> Mon, 05 November 2018 04:17 UTC

Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C49128CF2 for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 20:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AxB2cdwufP9 for <dnsop@ietfa.amsl.com>; Sun, 4 Nov 2018 20:17:14 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0051.outbound.protection.outlook.com [104.47.36.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77CE4128B14 for <dnsop@ietf.org>; Sun, 4 Nov 2018 20:17:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xj66sxhod/dLrG4DN7IPR658pqIHrSyd4YTeL4LrG3w=; b=HM1yPEdwxk9qzlGYstrtDkalft9B/wCmma3qfpNfABHEAWqFhZw3ZjyHDA60Fwh0p7tWk/9t30MWFkPCHnHEFYla0fz8YFW3JWhp5f1Ne2h76kKRbIILOB/kIFEaZaRI5Sy9traJbCSJOu1ph7DNssSKAqmI9zM7zN1919KXy1c=
Received: from BY1PR0601MB1320.namprd06.prod.outlook.com (10.161.206.139) by BY1PR0601MB1159.namprd06.prod.outlook.com (10.160.196.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.26; Mon, 5 Nov 2018 04:16:20 +0000
Received: from BY1PR0601MB1320.namprd06.prod.outlook.com ([fe80::c90e:a45:e216:57c9]) by BY1PR0601MB1320.namprd06.prod.outlook.com ([fe80::c90e:a45:e216:57c9%2]) with mapi id 15.20.1294.028; Mon, 5 Nov 2018 04:16:20 +0000
From: Dan York <york@isoc.org>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure
Thread-Index: AQHUdL5NY8HmJjSYO0WuqxyeWunIvw==
Date: Mon, 5 Nov 2018 04:16:19 +0000
Message-ID: <E751BC61-0F99-45C2-96A8-FE970B237CCD@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-originating-ip: [31.133.129.154]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY1PR0601MB1159; 6:f4utJk0HSkhusLCmGs4orSpMMtsPtdq8ZERoprWoRiEaOWuRslsqOLMEA/8szYPmPBDZ91Apbbiqp+1vfjQKpxINzxTQrb60P9pNAxNsO/ZZoLMKx9RcMdOfIGUcnwONZ0bZZnitstdT+qUb91/EIelevW25YYAik++kRnkbraIZjK27h8Y5BRlcNYLaILSSf2AGKQsupKA//4gNOWFUI1OTrszxboX1hBcBK1/uKoFBD0HhWlU21y3MFDS92/hXmmoCovVobnNf1RlnnhLkde3Bpy4YOzRjPoP1ffLANseiffNgUb6crlu76l4PFR2AmyVwzpC6sPyHZ3Xf4o6XuJNPb0gONr5J8hFTXE1eaGvpWmv4QBjWnJFXy98885Hq/EYVSSn0hSr6zls1e+eSpfLw7DRlROZeNNi5DHwJMtDLBKSyPBpKvEbm4sqTGRDwaUk/AvRL/x/YuV0EWhExOg==; 5:gTecdUK0YAhOjmgaKXkhu0fq//N2CunWkzMuu5qHaqT6Jpuh3rzPhbXGyeAlJwTSksuFoOgsvqijAIou9Dq3kUnX3Cm05C0qKNCz21qo6xxWDkZKEGEjFJpzXUd8MjWqZ4PS91acA/sI1ChM2qsCKcglFaoUwFPeooQWrcnmJw4=; 7:XoIBNpHVKrjkuoAtHVEonmXUyQ2L5Zady7YiGHHEYE73Kl576a0/8egElp5JxIHIooEZdg1CZfxHo7gjYApGVZ48ZFiHZWv2XJcQPOOczNOuZJpcwToeDHm/PqtuLmPz5vAKd1n5sPHZVg9AC7DelA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d527a2bc-46fb-4bf2-123c-08d642d57067
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:BY1PR0601MB1159;
x-ms-traffictypediagnostic: BY1PR0601MB1159:
x-microsoft-antispam-prvs: <BY1PR0601MB11593D17CC4376CC0BAE56EBB7CA0@BY1PR0601MB1159.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(31418570063057);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231382)(944501410)(4982022)(52105095)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:BY1PR0601MB1159; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0601MB1159;
x-forefront-prvs: 08476BC6EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39840400004)(366004)(396003)(376002)(346002)(189003)(69234005)(199004)(25786009)(99286004)(8936002)(5660300001)(6916009)(6486002)(86362001)(97736004)(6116002)(606006)(316002)(3846002)(7736002)(105586002)(6436002)(33656002)(486006)(256004)(83716004)(14444005)(476003)(6306002)(2616005)(54896002)(53376002)(81166006)(81156014)(82746002)(966005)(106356001)(236005)(2900100001)(6512007)(478600001)(53936002)(71200400001)(71190400001)(186003)(26005)(2906002)(36756003)(66066001)(68736007)(6506007)(102836004)(8676002)(14454004)(32563001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0601MB1159; H:BY1PR0601MB1320.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: nYycWo7riw4fHVM6JE/GmrhQwGJ097ihHupDLjvh5UczYX7Sz0K07vY+sz70h5u0IFx8jQmED0ETtEwh7CVAAjikidEDXQavvJG6pwgiokhY17+YTYnoYDzko4rmlLeBhIvG6r6H3d3PQeoucx4y8m3dHV6w/MqQGYfN4Kgs75/X726YLCMw7u6+51eDKjYy93vHCQc8QEzo8Co0L/MZF7I7nu9Eptwfh+SXPnDT/nIuQV1rbVhd9BJ+er8u0qZKWcZBQUxt+YSaj62artoXIOWz0gXs0R9Iv8J50b8MG8hQdg2hkuEjbn79tpq5yhOFzuLg/Jzmo5XpOlqVYzHn1bpvyFSFiKxH8gpiuK6tP/M=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_E751BC610F9945C296A8FE970B237CCDisocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: d527a2bc-46fb-4bf2-123c-08d642d57067
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2018 04:16:19.8282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0601MB1159
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_qYI5yKb6Vr80hEBDRN3Eyalt1A>
Subject: [DNSOP] FYI - in v6OPS today - IPv6-Ready DNS/DNSSSEC Infrastructure
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 04:17:17 -0000

FYI, in the v6ops working group right now in Meeting 1 on the 7th floor, there is a draft that will be discussed (after two other drafts are discussed) that is:


IPv6-Ready DNS/DNSSSEC Infrastructure

https://tools.ietf.org/html/draft-bp-v6ops-ipv6-ready-dns-dnssec-00

Abstract:

   This document defines the timing for implementing a worldwide
   IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate the
   global IPv6-only deployment.

   A key issue for this, is the need for a global support of DNSSEC and
   DNS64, which in some scenarios do not work well together.  This
   document states that any DNSSEC signed resources records should
   include a native IPv6 resource record as the most complete and
   expedient path to solve any deployment conflict with DNS64 and DNSSEC.

Slides: https://datatracker.ietf.org/meeting/103/materials/slides-103-v6ops-ipv6-ready-dnsdnssec-infrastructure-00

The key point is the conflict between DNS64 and DNSSEC, as described in the draft here:

    DNS64 ([RFC6147]) is a widely deployed technology allowing hundreds
   of millions of IPv6-only hosts/networks to reach IPv4-only resources.
   DNSSEC is a technology used to validate the authenticity of
   information in the DNS, however, as DNS64 ([RFC6147]) modifies DNS
   answers and DNSSEC is designed to detect such modifications, DNS64
   ([RFC6147]) can break DNSSEC in some circumstances.

I'm passing it along in case others were, like me, not paying attention to this draft.

Dan

--
Dan York
Director, Content & Web Strategy, Internet Society
york@isoc.org<mailto:york@isoc.org>   +1-802-735-1624
Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org>  Skype: danyork   http://twitter.com/danyork

http://www.internetsociety.org/