Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Wed, 13 June 2018 10:45 UTC
Return-Path: <prvs=17023f6860=jordi.palet@consulintel.es>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 253B5130E25;
Wed, 13 Jun 2018 03:45:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,
DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fJCXLe7awNNh; Wed, 13 Jun 2018 03:45:45 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es
[IPv6:2001:470:1f09:495::5])
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 8FC93130E20;
Wed, 13 Jun 2018 03:45:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es;
s=MDaemon; t=1528886743; x=1529491543;
i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date:
Subject:From:To:CC:Message-ID:Thread-Topic:References:
In-Reply-To:Mime-version:Content-type:Content-transfer-encoding;
bh=Bml4ou0FFQdc/9tV383up1hL0Wd2FnBhVxpBJfUADNY=; b=O8HoXB5sK2bE+
iNqkhgpangsVO3AmTf8QmME/4Q2gm9fezPoBabnaLn3qKEE9gpQo4JHqSJf8YYRy
CK9j6Noeob9GpFRnqYARXlcMoyYO4Fz0vPQn5u5ngfkJIJjgLEgmXGknlmiTTwdb
GxRgfEDjN2ELrSrDxhuyWH5aY9YL/w=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Wed, 13 Jun 2018 12:45:43 +0200
X-Spam-Processed: mail.consulintel.es, Wed, 13 Jun 2018 12:45:42 +0200
Received: from [10.10.10.129] by mail.consulintel.es (MDaemon PRO v16.5.2)
with ESMTPA id md50005788682.msg; Wed, 13 Jun 2018 12:45:41 +0200
X-MDRemoteIP: 2001:470:1f09:495:b9c7:adad:b8cb:35fd
X-MDHelo: [10.10.10.129]
X-MDArrival-Date: Wed, 13 Jun 2018 12:45:41 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=17023f6860=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
User-Agent: Microsoft-MacOutlook/10.e.0.180610
Date: Wed, 13 Jun 2018 12:45:38 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Philip Homburg <pch-v6ops-8@u-1.phicoh.com>,
<v6ops@ietf.org>
CC: Stuart Cheshire <cheshire@apple.com>,
Michelle Cotton via RT <iana-questions@iana.org>, dnsop <dnsop@ietf.org>,
David Schinazi <dschinazi@apple.com>
Message-ID: <0076D883-6824-4237-A0B7-8485A3756BB1@consulintel.es>
Thread-Topic: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should
be insecure.
References: <rt-4.2.9-2607-1515188710-296.989438-6-0@icann.org>
<FAA35F1A-9AD4-4993-9A5C-53A6143B9DE7@isc.org>
<43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com>
<m1fT2lY-0000IHC@stereo.hq.phicoh.net>
In-Reply-To: <m1fT2lY-0000IHC@stereo.hq.phicoh.net>
Mime-version: 1.0
Content-type: text/plain;
charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/l327_s3W9jNSwk3WxzVSEsyJz2M>
Subject: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation
should be insecure.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>,
<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
<mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 10:45:50 -0000
Hi Philip, Agree, ideally, should be a DHCPv6 bases mechanism as we already proposed long time ago, because PCP is not present in many networks (unfortunately), while DHCP is quite common. We are happy to resurrect and review this work if needed: https://tools.ietf.org/html/draft-li-intarea-nat64-prefix-dhcp-option-01 Regards, Jordi -----Mensaje original----- De: DNSOP <dnsop-bounces@ietf.org> en nombre de Philip Homburg <pch-v6ops-8@u-1.phicoh.com> Fecha: miércoles, 13 de junio de 2018, 12:42 Para: <v6ops@ietf.org> CC: Stuart Cheshire <cheshire@apple.com>om>, Michelle Cotton via RT <iana-questions@iana.org>rg>, dnsop <dnsop@ietf.org>rg>, David Schinazi <dschinazi@apple.com> Asunto: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure. >https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa ><https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa> >From Section 6.2: 3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' as special and MUST give it special treatment. Regardless of any manual client DNS configuration, DNS overrides configured by VPN client software, or any other mechanisms that influence the choice of the client's recursive resolver address(es) (including client devices that run their own local recursive resolver and use the loopback address as their configured recursive resolver address) all queries for 'ipv4only.arpa' and any subdomains of that name MUST be sent to the recursive resolver learned from the network via IPv6 Router Advertisement Options for DNS Configuration [RFC6106] or via DNS Configuration options for DHCPv6 [RFC3646]. First we introduce ipv4only.arpa as a hack to avoid creating/deploying a suitable mechanism to communicate the NAT64 translation prefix. That's fine with me. But when that hack then requires changes to every possible DNS stub resolver implementation in the world, there is something seriously wrong. So if this in indeeed required to make RFC7050 work then it is better to formally deprecate RFC7050 and focus on other ways to discover the translation prefix. It seems that at least one already exists (RFC7225) so not much is lost. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Warren Kumari
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… JORDI PALET MARTINEZ
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Philip Homburg
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Mark Andrews
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… Ted Lemon
- Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa'… David Schinazi
- [DNSOP] Fwd: [IANA #989438] ipv4only.arpa's deleg… Mark Andrews