Re: IPv6 only host NAT64 requirements?

Ole Troan <otroan@employees.org> Tue, 14 November 2017 01:04 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47B01205F0 for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 17:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJihNpGwtzSn for <ipv6@ietfa.amsl.com>; Mon, 13 Nov 2017 17:04:12 -0800 (PST)
Received: from accordion.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E68F126579 for <ipv6@ietf.org>; Mon, 13 Nov 2017 17:04:12 -0800 (PST)
Received: from h.hanazo.no (dhcp-9240.meeting.ietf.org [31.133.146.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by accordion.employees.org (Postfix) with ESMTPSA id AF56F2D5038; Tue, 14 Nov 2017 01:04:11 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 0170A200C09DA0; Tue, 14 Nov 2017 09:03:47 +0800 (+08)
From: Ole Troan <otroan@employees.org>
Message-Id: <39CD5C15-5A9E-4CD5-BE89-890EAF516E22@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_9BE49051-8665-4F5C-B0E0-F7F0A4C72995"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
Subject: Re: IPv6 only host NAT64 requirements?
Date: Tue, 14 Nov 2017 09:03:46 +0800
In-Reply-To: <1bcc9417-6f00-48ac-b9ef-0317f6f43a56@gmail.com>
Cc: Philip Homburg <pch-ipv6-ietf-4@u-1.phicoh.com>, 6man WG <ipv6@ietf.org>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <6755862C-AA12-45B4-98B8-EF6D9F90898B@employees.org> <CAD6AjGRhn80LUJrut4ebDKPfFkdu3ySN8fjH_JvCjSNA-_tfYw@mail.gmail.com> <m1eEGlw-0000FsC@stereo.hq.phicoh.net> <c7987f0a-9fb9-0311-b017-2b230a21bd1d@gmail.com> <9620CE6D-6364-41E9-A43D-AF0690D2A5F4@employees.org> <1bcc9417-6f00-48ac-b9ef-0317f6f43a56@gmail.com>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/lMNaD_FIx5Cel-wJEKiPpq9F-w0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 01:04:14 -0000

Brian,

>>>>> I am not optimistic on the demand / need / value of dnssec in any scenario
>>>>> ....let alone an ipv6-only host validating an ipv4-only dns name. If the
>>>>> folks operating this service cared, they could operate the server with
>>>>> signed v6 names.  It is more reasonable in todays internet to asked the
>>>>> server (lets assume most signed name scenarios are servers) to be setup
>>>>> right (with v6). There is not a compelling reason why having v6 is
>>>>> unattainable today for named nodes.
>>>> 
>>>> DNSSEC is something that works today.
>>> 
>>> This is not the impression I get from attending IEPG meetings
>>> and chatting in the corridors at the IETF. Also, we knew throughout
>>> the development of NAT64/DNS64 that DNSSEC was a major stumbling block.
>>> I don't think it is a good idea to entangle RFC6434bis with that issue.
>> 
>> What's the DNSSEC major stumbling block?
> 
> I pass. Try asking Geogg Huston, for example.

As far as I understand it, DNSSEC has deployment issues, which are comparable for the DNS64 and non-DNS64 case.

https://tools.ietf.org/html/rfc6147#section-3
https://tools.ietf.org/html/rfc7050#section-3

But I will leave someone who knows DNS to give a definite answer to that.

If I understand what people are telling me correctly, your statement "major stumbling block" is not correct.

Best regards,
Ole