IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Sander Steffann <sander@steffann.nl> Thu, 23 February 2017 17:38 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5624612A208 for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 09:38:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=steffann.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mB1J7wVnqN1J for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 09:38:04 -0800 (PST)
Received: from mail.sintact.nl (mail.sintact.nl [IPv6:2001:9e0:803::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B4721294CF for <sunset4@ietf.org>; Thu, 23 Feb 2017 09:38:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id 4C1954A; Thu, 23 Feb 2017 18:38:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=steffann.nl; h= x-mailer:references:in-reply-to:date:date:subject:subject :mime-version:content-type:content-type:message-id:from:from :received:received; s=mail; t=1487871479; bh=uRdl+jNHNoOvOlBoUfD mxvoWbvPXPU0eMMeazL+I3vE=; b=iSG/e+6H5GKVa5KNI7SUnkUhfYGKFSvK1Nz mrKhY71pUg1WUYIq2kLakFlt9tz9JZ/0lBFPOAiwCUIa9b+jl3Ac+O+isHKN6Zxd 5Uae1XbCzwnHWHsIEAjdQ+uq/hYvpYMc7hvrfSajaITPINu9RkbPeTuniuRJcHK0 26lGGx/U=
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qMraJFnbfyNK; Thu, 23 Feb 2017 18:37:59 +0100 (CET)
Received: from [IPv6:2003:8:27:8700:40e:cc1f:5196:109f] (unknown [IPv6:2003:8:27:8700:40e:cc1f:5196:109f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.sintact.nl (Postfix) with ESMTPSA id DDF9449; Thu, 23 Feb 2017 18:37:58 +0100 (CET)
X-Clacks-Overhead: GNU Terry Pratchett
From: Sander Steffann <sander@steffann.nl>
Message-Id: <6E387159-A35B-487D-9818-0325E072E865@steffann.nl>
Content-Type: multipart/signed; boundary="Apple-Mail=_8669F186-B3D2-4BDC-8BEC-6189B3716F2C"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Thu, 23 Feb 2017 18:38:10 +0100
In-Reply-To: <AC554B0E-709B-474D-97BD-C2518CED2266@fugue.com>
To: Ted Lemon <mellon@fugue.com>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <AC554B0E-709B-474D-97BD-C2518CED2266@fugue.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/5r1kgK3pkBzMrqw7v1EQUw1rIA4>
Cc: "Heatley, Nick" <nick.heatley@ee.co.uk>, "sunset4@ietf.org" <sunset4@ietf.org>, Mark Andrews <marka@isc.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 17:38:06 -0000

Hi,

> Op 22 feb. 2017, om 17:35 heeft Ted Lemon <mellon@fugue.com> het volgende geschreven:
> 
> On Feb 22, 2017, at 9:36 AM, Mark Andrews <marka@isc.org> wrote:
>> DNS64 really should just be made historic.  It does not work with
>> DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They
>> provides NO BENEFIT over other methods.  Every proported benefit
>> turns out not to exist.
> 
> (A) I find NAT64 to be a very convenient solution, and best of all it tests IPv6 functionality in apps, so I know which apps will not work on a v6-only network.
> (B) DNS64 works _fine_ with DNSSEC as long as you do the DNS64 translation _after you validate_.

This.

I have tested different implementations and used others that work like this, and it works fine. I'm at Cisco Live in Berlin and I have been behind a DNSSEC validating NAT64 resolver the whole week (thanks to Jan Žorž for providing it!).

Cheers,
Sander

v2.23.0 | Report a Bug | By Email