IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

"Heatley, Nick" <nick.heatley@ee.co.uk> Thu, 23 February 2017 10:53 UTC

Return-Path: <nick.heatley@ee.co.uk>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E951294B2 for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 02:53:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.087
X-Spam-Level:
X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crIWY09l39lo for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 02:53:34 -0800 (PST)
Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [193.109.254.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27F71129480 for <sunset4@ietf.org>; Thu, 23 Feb 2017 02:53:33 -0800 (PST)
Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id 54/48-24539-C2FBEA85; Thu, 23 Feb 2017 10:53:32 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRWlGSWpSXmKPExsUy9d9HH13t/es iDCYt17HoWrGH2eLKi/ssFiv37Gd3YPZYsuQnk8eDx++YPdZ9MA9gjmLNzEvKr0hgzfi8ZBZT wTGLipWtl5gaGF+YdzFycQgJbGGUeLKghQXCOcAosanlFTOEc4pR4vC3eYxdjJwcbAK6Eu2zV jGD2CIC3hLPTjWxgtjMApoSDR0XmEBsYQENiXe7jwHZHEA1mhLTP3pClPtJPDu0HmwMi4CqxJ IP38BsXoFQiY3Xd0EtnskksenTO7D5nAJWEsd2PmUHsRkFZCW+NK5mhtglLnHryXywXRICAhJ L9pxnhrBFJV4+/scKYStIXFrUxQpyA8ht63fpQ7QqSkzpfsgOsVdQ4uTMJywTGEVnIZk6C6Fj FpKOWUg6FjCyrGLUKE4tKkst0jU00EsqykzPKMlNzMwB8sz0clOLixPTU3MSk4r1kvNzNzECo 4oBCHYw3lsWcIhRkoNJSZTXZ8+6CCG+pPyUyozE4oz4otKc1OJDjDIcHEoSvP77gHKCRanpqR VpmTnA+IZJS3DwKInwmoCkeYsLEnOLM9MhUqcYdTmObD7yhkmIJS8/L1VKnDcapEgApCijNA9 uBCzVXGKUlRLmZQQ6SoinILUoN7MEVf4VozgHo5Iw75G9QFN4MvNK4Da9AjqCCegIS+e1IEeU JCKkpBoYV7KXF1106Y/f8qFtVfQu5epb4jNezC1Jd3276NueggmGZ753JYdULj4he7Hq8HGDF J75t89J7V04sXKNLc/fd0bvAxjzb23kb/AK0l6pe+zlZt/sqxynj22IP1byxvy8VenaZJXeqe av7/ismtj48cC2aWsfFFVek3RV3HWjXTtFe/dk85XOLUosxRmJhlrMRcWJAN5ho78wAwAA
X-Env-Sender: nick.heatley@ee.co.uk
X-Msg-Ref: server-15.tower-27.messagelabs.com!1487847211!35633879!1
X-Originating-IP: [149.254.241.76]
X-StarScan-Received:
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 55454 invoked from network); 23 Feb 2017 10:53:31 -0000
Received: from unknown (HELO smtpml01.ee.co.uk) (149.254.241.76) by server-15.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 23 Feb 2017 10:53:31 -0000
Received: from EEUKWV0941.EEAD.EEINT.CO.UK (Not Verified[10.246.209.218]) by smtpml01.ee.co.uk with Trustwave SEG (v7, 5, 6, 8438) id <B58aebf250001>; Thu, 23 Feb 2017 10:53:25 +0000
Received: from UK31S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.27]) by EEUKWV0941.EEAD.EEINT.CO.UK with Trustwave SEG (v7, 3, 6, 7949) id <B58aebf2a0001>; Thu, 23 Feb 2017 10:53:30 +0000
Received: from UK30S005EXS06.EEAD.EEINT.CO.UK ([fe80::314c:b96c:4a9a:8a79]) by UK31S005EXS02.EEAD.EEINT.CO.UK ([2002:1ef6:d01b::1ef6:d01b]) with mapi id 14.03.0279.002; Thu, 23 Feb 2017 10:53:30 +0000
From: "Heatley, Nick" <nick.heatley@ee.co.uk>
To: Mark Andrews <marka@isc.org>, Marc Blanchet <marc.blanchet@viagenie.ca>
Thread-Topic: [sunset4] future of dnssec?
Thread-Index: AdKNBnRIe2inw1ZcRtC42Vzko3pn/gADhDcAAAEj9/oAANTjAAAMrNV3ABzaT4A=
Date: Thu, 23 Feb 2017 10:53:30 +0000
Message-ID: <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> <20170222210305.97EB36455CD0@rock.dv.isc.org>
In-Reply-To: <20170222210305.97EB36455CD0@rock.dv.isc.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.246.208.5]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/4qzykKgOzqkhYEr-WwY_TC01TiE>
Cc: "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 10:53:36 -0000

Some networks do not work successfully with the additional encapsulation.
Mobile networks are the case in point.
So the translation tech rightfully exists.


-----Original Message-----
From: sunset4 [mailto:sunset4-bounces@ietf.org] On Behalf Of Mark Andrews
Sent: 22 February 2017 21:03
To: Marc Blanchet
Cc: sunset4@ietf.org
Subject: Re: [sunset4] future of dnssec?


In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc Blanchet" 
writes:
> On 22 Feb 2017, at 9:36, Mark Andrews wrote:
> 
> > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted 
> > Lemon
> > writes:
> >>
> >> Nick, the solution to this is to do DNS64 in the validator.   If the
> >> validator is a stub resolver, do the DNS64 hack there.   AFAIK the
> >> technology to support this already exists.
> >
> > DNS64 really should just be made historic.  It does not work with 
> > DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They 
> > provides NO BENEFIT over other methods.  Every proported benefit 
> > turns out not to exist.
> >
> > Go do the comparitive analysis.
> 
> I respectfully disagree. dual-stack incur many additional costs 
> operationally. deploying v6only infrastructure is more cost effective, 
> specially over the long run. nowadays, statistics show that a large 
> amount of trafic could be carried over IPv6, which means then that you 
> « just » need to care about the tail of the IPv4-only destinations, 
> which is where nat64/dns64 comes. But I guess you know all this.

Stop with the knee jerk reactions.  What gave you the idea that I wasn't talking about IPv6-only networks?

So use DS-LITE in HOST MODE.  The only DS with that is in the host which you cannot avoid if you are using IPv4 literals or is that too much dual stack.  A little bit inside the node with a fixed
IPv4 address.  No routing.  No address assignments.

As I said NAT64/DNS64 does not provide any benefits that are not available via other IPv4 as a service mechanisms with the added benefit that you don't have to teach applications / OS stack about
DNS64 prefix discovery to deal with IPv6 literals.

For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator in the DNS path needs to be taught how to do DNS64 prefix discovery and therefor that it need to lie about AAAA results whether or not they are going to be used for a IPv6 connection or not.

Mark

> Marc.
> 
> >
> >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk>
> >> wrote:
> >>>
> >>> Post exhaustion, the majority of cellular networks and some public 
> >>> wifi
> >> networks will use DNS64.
> >>> DNSSEC and DNS64 do not get along. DNSSEC for “A records only” 
> >>> is
> >> broken.
> >>> Is this the reason why all content must go v6?
> >>> Or is the case for DNSSEC still questionable?
> >>> Or do end hosts need to perform DNS64 so “DNSSEC for A records 
> >>> only”
> >> can be intact?
> >>>
> >>> NOTICE AND DISCLAIMER
> >>> This email contains BT information, which may be privileged or
> >> confidential. It's meant only for the individual(s) or entity named 
> >> above.
> >>> If you're not the intended recipient, note that disclosing, 
> >>> copying,
> >> distributing or using this information is prohibited.
> >>> If you've received this email in error, please let me know 
> >>> immediately
> >> on the email address above. Thank you.
> >>>
> >>> We monitor our email system, and may record your emails.
> >>>
> >>> EE Limited
> >>> Registered office:Trident Place, Mosquito Way, Hatfield, 
> >>> Hertfordshire,
> >> AL10 9BW
> >>> Registered in England no: 02382161
> >>>
> >>> EE Limited is a wholly owned subsidiary of:
> >>>
> >>> British Telecommunications plc
> >>> Registered office: 81 Newgate Street London EC1A 7AJ Registered in 
> >>> England no: 1800000
> >>>
> >>> _______________________________________________
> >>> sunset4 mailing list
> >>> sunset4@ietf.org <mailto:sunset4@ietf.org>
> >>> https://www.ietf.org/mailman/listinfo/sunset4
> >> <https://www.ietf.org/mailman/listinfo/sunset4>
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
> > _______________________________________________
> > sunset4 mailing list
> > sunset4@ietf.org
> > https://www.ietf.org/mailman/listinfo/sunset4
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org


NOTICE AND DISCLAIMER
This email contains BT information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. 
If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. 
If you've received this email in error, please let me know immediately on the email address above. Thank you.

We monitor our email system, and may record your emails.

EE Limited 
Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW
Registered in England no: 02382161

EE Limited is a wholly owned subsidiary of:

British Telecommunications plc
Registered office: 81 Newgate Street London EC1A 7AJ
Registered in England no: 1800000

v2.23.0 | Report a Bug | By Email