IETF Logo Mail Archive

Re: DNS64, DANE and DPRIV

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 08 December 2014 01:14 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 525701A1B1F for <ietf@ietfa.amsl.com>; Sun, 7 Dec 2014 17:14:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Level:
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Byp_B56cV1lf for <ietf@ietfa.amsl.com>; Sun, 7 Dec 2014 17:14:48 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B3471A1B16 for <ietf@ietf.org>; Sun, 7 Dec 2014 17:14:48 -0800 (PST)
Received: from mx1.yitter.info (unknown [118.143.12.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id B81DA8A035 for <ietf@ietf.org>; Mon, 8 Dec 2014 01:14:45 +0000 (UTC)
Date: Sun, 07 Dec 2014 20:14:41 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: ietf@ietf.org
Subject: Re: DNS64, DANE and DPRIV
Message-ID: <20141208011440.GB21788@mx1.yitter.info>
References: <CAMm+Lwj+KjTVka1M7O+tsp76C_OCGR0bWKH_k5UrZXSYZrF+GA@mail.gmail.com> <30614.1417993457@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <30614.1417993457@sandelman.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/TbIN0siBQspk55KvG3HY6PdDEZ8
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 01:14:49 -0000

On Sun, Dec 07, 2014 at 06:04:17PM -0500, Michael Richardson wrote:
> I've wanted DNS64 to happen in the host, and given that a number of hosts had
> to be fixed to function in IPv6 only environments, a change to include DNS64
> would not be crazy in my opinion, and eliminates much of the end-to-end
> DNSSEC-breakage that DNS64 can imply.
> 
> (or to put it another way: when you turn on end-host DNSSEC validation,
> and enable DPRIV, you had better provide DNS64 at the same time)

For whatever it's worth, my view when we were working on DNS64 was
that DNSSEC wasn't really deployed for edge validation yet, so if one
had to make a change in something to accommodate DNS64 it would be ok
if it was part of the way validation at the edge happened.  I think
that is still true, and I think therefore that DNS64 at edge hosts is
not a terrible idea.  Moreover, if the edge device knows about the
NAT64, it's in a position to do less stupid stuff itself.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email