Re: [Doh] DNS64 and DOH
JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Thu, 22 March 2018 14:30 UTC
Return-Path: <prvs=16191218c3=jordi.palet@consulintel.es>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94D77126DFB for <doh@ietfa.amsl.com>; Thu, 22 Mar 2018 07:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2EylJkcoKiT for <doh@ietfa.amsl.com>; Thu, 22 Mar 2018 07:30:03 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 532141243FE for <doh@ietf.org>; Thu, 22 Mar 2018 07:30:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1521729000; x=1522333800; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:CC:Message-ID:Thread-Topic:References: In-Reply-To:Mime-version:Content-type:Content-transfer-encoding; bh=Egqsh5aKHuhEPbNT+9iqinwbnbbOiFqQrDhY2WfP7TM=; b=QmEz6XW8NaFn1 0QH/Nb5zvz+BbBKq8piq2dMLZoTcYfFbh7qUQLOQxXgC6CngN8BZ/mSEt/xm/qYN 1Q32EVqWFzHJ4q2Hbgtf8IgBphh9sZstlROHIi4uTHNsaZ68+J4Gbg7QnxlodN/o cbD8mgRKq1FyeRnoLfzmP0bXlWXVxA=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Thu, 22 Mar 2018 15:30:00 +0100
X-Spam-Processed: mail.consulintel.es, Thu, 22 Mar 2018 15:30:00 +0100
Received: from [31.133.156.94] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005730313.msg for <doh@ietf.org>; Thu, 22 Mar 2018 15:29:59 +0100
X-MDRemoteIP: 2001:67c:1232:144:b92d:f8a4:4f56:e2bb
X-MDHelo: [31.133.156.94]
X-MDArrival-Date: Thu, 22 Mar 2018 15:29:59 +0100
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=16191218c3=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: doh@ietf.org
User-Agent: Microsoft-MacOutlook/10.b.0.180311
Date: Thu, 22 Mar 2018 14:29:54 +0000
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Lee Howard <lee@asgard.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>, Erik Nygren <erik+ietf@nygren.org>
CC: doh@ietf.org
Message-ID: <C8D3B48B-209F-44EC-A80F-FCCE0991B3B2@consulintel.es>
Thread-Topic: [Doh] DNS64 and DOH
References: <CAKC-DJjtHE89A=vG5iS_0M_jqnWusDUDnwyernd+FC1VxxmU5Q@mail.gmail.com> <20180319090048.GB16151@laperouse.bortzmeyer.org> <4c0b18e4-0f97-e1d5-7e93-1dc81d03f114@asgard.org>
In-Reply-To: <4c0b18e4-0f97-e1d5-7e93-1dc81d03f114@asgard.org>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/5Xgkgd8fp2h55QTcrHRpwVO0mtc>
Subject: Re: [Doh] DNS64 and DOH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 14:30:08 -0000
I will also draft some text in https://tools.ietf.org/html/draft-palet-v6ops-nat64-deployment-00, in order to consider different issues that have been raised with this thread, so at least, those deploying NAT64s/DNS64s are aware of it. Regards, Jordi -----Mensaje original----- De: Doh <doh-bounces@ietf.org> en nombre de Lee Howard <lee@asgard.org> Fecha: jueves, 22 de marzo de 2018, 14:17 Para: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Erik Nygren <erik+ietf@nygren.org> CC: <doh@ietf.org>, Jordi Palet Martinez <jordi.palet@consulintel.es> Asunto: Re: [Doh] DNS64 and DOH On 03/19/2018 09:00 AM, Stephane Bortzmeyer wrote: > On Sun, Mar 18, 2018 at 07:20:35PM +0000, > Erik Nygren <erik+ietf@nygren.org> wrote > a message of 86 lines which said: > >> At least for mobile, not using DNS64 synthesis in the client will >> likely result in this either breaking the client in NAT64 >> environments > Is it a DNS64-specific problem? It could also happen if you have > local-only domain names, dummy local TLDs, alternative roots, > split-horizon, CDN, geo-based answers, or other DNS tricks. > > Yesterday, one IETFer told me that DoH was a bad idea because it allows > people to avoid DNS-based national censorship… > > May be a warning "the DoH resolver may give you a different answer > from what you would have got from the usual resolver"? Now that I have a couple more minutes, I thought I'd note Apple's measurements of IPv6-only hosts: https://www.ietf.org/proceedings/98/slides/slides-98-maprg-measuring-trends-in-ipv6-support-tommy-pauly-00.pdf As of a year ago in maprg, 5-10% of hosts had no IPv4. Thanks for including the text, "For example, in the case of DNS64 [RFC6147], the choice could affect whether IPv6/IPv4 translation will work at all." It might not be immediately clear to a server operator that the implication of translation not working is that they must dual-stack the server. Proposed text: "... IPv6/IPv4 translation will work at all, so running both IPv4 and IPv6 on the server is recommended." If you don't like "is recommended" because it's rfc2119 language, maybe "will improve the chances of connecting." I'm also a little nervous about the text in Section 9 Operational Considerations describing the bootstrap problem, and suggesting as one possibility "IP based URIs and corresponding IP based certificates for HTTPS". Using IP literals as the URI is the opposite of DNS. I think this is the fundamental resolution problem, which DNS solves with root hints and glue records. There are, of course, lots of problems with IP literals, including that the syntax is different in IPv4 and [IPv6], and that addresses change. Lee _______________________________________________ Doh mailing list Doh@ietf.org https://www.ietf.org/mailman/listinfo/doh ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
- [Doh] DNS64 and DOH Erik Nygren
- Re: [Doh] DNS64 and DOH Stephane Bortzmeyer
- Re: [Doh] DNS64 and DOH Jim Reid
- Re: [Doh] DNS64 and DOH Patrick McManus
- Re: [Doh] [Ext] DNS64 and DOH Paul Hoffman
- Re: [Doh] [Ext] DNS64 and DOH Andrew Sullivan
- Re: [Doh] [Ext] DNS64 and DOH Ben Schwartz
- Re: [Doh] DNS64 and DOH Lee Howard
- Re: [Doh] [Ext] DNS64 and DOH Andrew Sullivan
- Re: [Doh] [Ext] DNS64 and DOH Jim Reid
- Re: [Doh] DNS64 and DOH Lee Howard
- Re: [Doh] DNS64 and DOH JORDI PALET MARTINEZ