IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Mark Andrews <marka@isc.org> Thu, 23 February 2017 13:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A38E12A1BC for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 05:07:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHKhKpWzAjUV for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 05:07:02 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6EE612A1B5 for <sunset4@ietf.org>; Thu, 23 Feb 2017 05:07:02 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D2D723493ED; Thu, 23 Feb 2017 13:06:58 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A933416004F; Thu, 23 Feb 2017 13:06:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 90F3B160053; Thu, 23 Feb 2017 13:06:58 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Zs2-ZrmgHFQn; Thu, 23 Feb 2017 13:06:58 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A6FB716004F; Thu, 23 Feb 2017 13:06:57 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4D3A664684D7; Fri, 24 Feb 2017 00:06:52 +1100 (EST)
To: "Heatley, Nick" <nick.heatley@ee.co.uk>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> <20170222210305.97EB36455CD0@rock.dv.isc.org> <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK>
In-reply-to: Your message of "Thu, 23 Feb 2017 10:53:30 -0000." <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK>
Date: Fri, 24 Feb 2017 00:06:52 +1100
Message-Id: <20170223130652.4D3A664684D7@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/GxcSpKS4TKhEMw1i8QZ78b2LcUY>
Cc: Marc Blanchet <marc.blanchet@viagenie.ca>, "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 13:07:04 -0000

In message <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.C
O.UK>, "Heatley, Nick" writes:
> Some networks do not work successfully with the additional encapsulation.
> Mobile networks are the case in point.
> So the translation tech rightfully exists.

464XLAT is encapsulation with translation.  It drops the IPv4 path
MTU from 1500 to 1480.  DS-Lite drops the IPv4 MTU to 1460.  You
can't avoid the issue with tethered equipement.

For TCP connection initiatiate from the host you shouldn't be seeing
PMTU issues with either 464XLAT or DS-Lite as both should be
presenting iterface MTU that doesn't result in PTB's being generated
by the teco's equipement.  For 464XLAT the mss should be that of
IPv6.  For DS-Lite in the host mode the mss should be 20 bytes
smaller.

Or can't the phone manufactures actually do DS-Lite host mode
properly if they were to try?

Encapsulation in the connection initiating device is different to
encapsulation in the middle of the path.  You start out with a
smaller MTU.

Mark

> -----Original Message-----
> From: sunset4 mailto:sunset4-bounces@ietf.org On Behalf Of Mark Andrews
> Sent: 22 February 2017 21:03
> To: Marc Blanchet
> Cc: sunset4@ietf.org
> Subject: Re: sunset4 future of dnssec?
>
>
> In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc
> Blanchet"
> writes:
> > On 22 Feb 2017, at 9:36, Mark Andrews wrote:
> >
> > > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted
> > > Lemon
> > > writes:
> > >>
> > >> Nick, the solution to this is to do DNS64 in the validator.   If the
> > >> validator is a stub resolver, do the DNS64 hack there.   AFAIK the
> > >> technology to support this already exists.
> > >
> > > DNS64 really should just be made historic.  It does not work with
> > > DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They
> > > provides NO BENEFIT over other methods.  Every proported benefit
> > > turns out not to exist.
> > >
> > > Go do the comparitive analysis.
> >
> > I respectfully disagree. dual-stack incur many additional costs
> > operationally. deploying v6only infrastructure is more cost effective,
> > specially over the long run. nowadays, statistics show that a large
> > amount of trafic could be carried over IPv6, which means then that you
> > just need to care about the tail of the IPv4-only destinations,
> > which is where nat64/dns64 comes. But I guess you know all this.
>
> Stop with the knee jerk reactions.  What gave you the idea that I wasn't
> talking about IPv6-only networks?
>
> So use DS-LITE in HOST MODE.  The only DS with that is in the host which
> you cannot avoid if you are using IPv4 literals or is that too much dual
> stack.  A little bit inside the node with a fixed
> IPv4 address.  No routing.  No address assignments.
>
> As I said NAT64/DNS64 does not provide any benefits that are not
> available via other IPv4 as a service mechanisms with the added benefit
> that you don't have to teach applications / OS stack about
> DNS64 prefix discovery to deal with IPv6 literals.
>
> For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator in the
> DNS path needs to be taught how to do DNS64 prefix discovery and therefor
> that it need to lie about AAAA results whether or not they are going to
> be used for a IPv6 connection or not.
>
> Mark
>
> > Marc.
> >
> > >
> > >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk>
> > >> wrote:
> > >>>
> > >>> Post exhaustion, the majority of cellular networks and some public
> > >>> wifi
> > >> networks will use DNS64.
> > >>> DNSSEC and DNS64 do not get along. DNSSEC for A records only
> > >>> is
> > >> broken.
> > >>> Is this the reason why all content must go v6?
> > >>> Or is the case for DNSSEC still questionable?
> > >>> Or do end hosts need to perform DNS64 so DNSSEC for A records
> > >>> only
> > >> can be intact?
> > >>>
> > >>> NOTICE AND DISCLAIMER
> > >>> This email contains BT information, which may be privileged or
> > >> confidential. It's meant only for the individual(s) or entity named
> > >> above.
> > >>> If you're not the intended recipient, note that disclosing,
> > >>> copying,
> > >> distributing or using this information is prohibited.
> > >>> If you've received this email in error, please let me know
> > >>> immediately
> > >> on the email address above. Thank you.
> > >>>
> > >>> We monitor our email system, and may record your emails.
> > >>>
> > >>> EE Limited
> > >>> Registered office:Trident Place, Mosquito Way, Hatfield,
> > >>> Hertfordshire,
> > >> AL10 9BW
> > >>> Registered in England no: 02382161
> > >>>
> > >>> EE Limited is a wholly owned subsidiary of:
> > >>>
> > >>> British Telecommunications plc
> > >>> Registered office: 81 Newgate Street London EC1A 7AJ Registered in
> > >>> England no: 1800000
> > >>>
> > >>> _______________________________________________
> > >>> sunset4 mailing list
> > >>> sunset4@ietf.org <mailto:sunset4@ietf.org>
> > >>> https://www.ietf.org/mailman/listinfo/sunset4
> > >> <https://www.ietf.org/mailman/listinfo/sunset4>
> > >
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> > >
> > > _______________________________________________
> > > sunset4 mailing list
> > > sunset4@ietf.org
> > > https://www.ietf.org/mailman/listinfo/sunset4
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>
>
> NOTICE AND DISCLAIMER
> This email contains BT information, which may be privileged or
> confidential. It's meant only for the individual(s) or entity named
> above.
> If you're not the intended recipient, note that disclosing, copying,
> distributing or using this information is prohibited.
> If you've received this email in error, please let me know immediately on
> the email address above. Thank you.
>
> We monitor our email system, and may record your emails.
>
> EE Limited
> Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire,
> AL10 9BW
> Registered in England no: 02382161
>
> EE Limited is a wholly owned subsidiary of:
>
> British Telecommunications plc
> Registered office: 81 Newgate Street London EC1A 7AJ
> Registered in England no: 1800000
> _______________________________________________
> sunset4 mailing list
> sunset4@ietf.org
> https://www.ietf.org/mailman/listinfo/sunset4

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email