IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-behave-nat64-learn-analysis-03.txt

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 10 April 2012 12:40 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCB1821F85D2 for <secdir@ietfa.amsl.com>; Tue, 10 Apr 2012 05:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.181
X-Spam-Level:
X-Spam-Status: No, score=-102.181 tagged_above=-999 required=5 tests=[AWL=0.418, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHZDN+rZlMdE for <secdir@ietfa.amsl.com>; Tue, 10 Apr 2012 05:40:10 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id E275A21F85D1 for <secdir@ietf.org>; Tue, 10 Apr 2012 05:40:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1334061608; d=isode.com; s=selector; i=@isode.com; bh=5W48+2I3BYRwsr2Ga/GToQiXO53S24Qog8FPtYfQSqU=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=wNpATuv/F6CViFPcStPRi3qlDpjT2m2EICrZg3yCC6jpF0HV5Z/EsVtdbEU386k/0YKhJ6 ACtNA+ujG5BCHDzztbZwNb4dfzCkfxPjqN3017weUsMi1zh/mrHzja4ze4DEMbASeL0EyP NbaSudlObW0fTnH6aJUxBNTI2YVa5pY=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T4QqKAAg2zeo@rufus.isode.com>; Tue, 10 Apr 2012 13:40:08 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F842A4D.1000205@isode.com>
Date: Tue, 10 Apr 2012 13:40:45 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: secdir@ietf.org
References: <4F842937.9050305@isode.com>
In-Reply-To: <4F842937.9050305@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] Secdir review of draft-ietf-behave-nat64-learn-analysis-03.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 12:40:11 -0000

I have to admit that my knowledge of DNSSEC is lacking, so can somebody 
help me answer this question (which I didn't mention in my SecDir review):

5.2.  EDNS0 option indicating AAAA Record synthesis and format

5.2.1.  Solution description

    The third revision of "EDNS0 Option for Indicating AAAA Record
    Synthesis and Format", a draft document submitted to the behave WG in
    February 2011 by Jouni Korhonen and Teemu Savolainen, defined a new
    EDNS0 option [RFC2671], which contained 3 flag bits (called SY-bits).
    The EDNS0 option served as an implicit indication of the presence of
    DNS64 server and the NAT64 device.  The EDNS0 option SY-bit values
    other than '000' and '111' explicitly told the NSP prefix length.
    Only the DNS64 server could insert the EDNS0 option and the required
    SY-bits combination into the synthesized AAAA Resource Record.

Will DNS64 insertion of this option invalid DNSSEC signature?

v2.23.0 | Report a Bug | By Email