IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Mark Andrews <marka@isc.org> Wed, 22 February 2017 21:03 UTC

Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4E2129B41 for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:03:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQbNcoPA0Zcp for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:03:15 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276C2129AAA for <sunset4@ietf.org>; Wed, 22 Feb 2017 13:03:15 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BEA863494FE; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A3A91160048; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9126716006D; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dR40f4WGH3sU; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C3998160048; Wed, 22 Feb 2017 21:03:10 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 97EB36455CD0; Thu, 23 Feb 2017 08:03:05 +1100 (EST)
To: Marc Blanchet <marc.blanchet@viagenie.ca>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>
In-reply-to: Your message of "Wed, 22 Feb 2017 10:00:30 -0500." <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>
Date: Thu, 23 Feb 2017 08:03:05 +1100
Message-Id: <20170222210305.97EB36455CD0@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/HZk6Rm_QOEBqgly6ZhbxTRJQsqg>
Cc: "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 21:03:16 -0000

In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc Blanchet" 
writes:
> On 22 Feb 2017, at 9:36, Mark Andrews wrote:
> 
> > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted Lemon 
> > writes:
> >>
> >> Nick, the solution to this is to do DNS64 in the validator.   If the
> >> validator is a stub resolver, do the DNS64 hack there.   AFAIK the
> >> technology to support this already exists.
> >
> > DNS64 really should just be made historic.  It does not work with
> > DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They
> > provides NO BENEFIT over other methods.  Every proported benefit
> > turns out not to exist.
> >
> > Go do the comparitive analysis.
> 
> I respectfully disagree. dual-stack incur many additional costs 
> operationally. deploying v6only infrastructure is more cost effective, 
> specially over the long run. nowadays, statistics show that a large 
> amount of trafic could be carried over IPv6, which means then that you 
> « just » need to care about the tail of the IPv4-only destinations, 
> which is where nat64/dns64 comes. But I guess you know all this.

Stop with the knee jerk reactions.  What gave you the idea that I
wasn't talking about IPv6-only networks?

So use DS-LITE in HOST MODE.  The only DS with that is in the host
which you cannot avoid if you are using IPv4 literals or is that
too much dual stack.  A little bit inside the node with a fixed
IPv4 address.  No routing.  No address assignments.

As I said NAT64/DNS64 does not provide any benefits that are not
available via other IPv4 as a service mechanisms with the added
benefit that you don't have to teach applications / OS stack about
DNS64 prefix discovery to deal with IPv6 literals.

For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator
in the DNS path needs to be taught how to do DNS64 prefix discovery
and therefor that it need to lie about AAAA results whether or not
they are going to be used for a IPv6 connection or not.

Mark

> Marc.
> 
> >
> >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk>
> >> wrote:
> >>>
> >>> Post exhaustion, the majority of cellular networks and some public 
> >>> wifi
> >> networks will use DNS64.
> >>> DNSSEC and DNS64 do not get along. DNSSEC for “A records only” 
> >>> is
> >> broken.
> >>> Is this the reason why all content must go v6?
> >>> Or is the case for DNSSEC still questionable?
> >>> Or do end hosts need to perform DNS64 so “DNSSEC for A records 
> >>> only”
> >> can be intact?
> >>>
> >>> NOTICE AND DISCLAIMER
> >>> This email contains BT information, which may be privileged or
> >> confidential. It's meant only for the individual(s) or entity named
> >> above.
> >>> If you're not the intended recipient, note that disclosing, copying,
> >> distributing or using this information is prohibited.
> >>> If you've received this email in error, please let me know 
> >>> immediately
> >> on the email address above. Thank you.
> >>>
> >>> We monitor our email system, and may record your emails.
> >>>
> >>> EE Limited
> >>> Registered office:Trident Place, Mosquito Way, Hatfield, 
> >>> Hertfordshire,
> >> AL10 9BW
> >>> Registered in England no: 02382161
> >>>
> >>> EE Limited is a wholly owned subsidiary of:
> >>>
> >>> British Telecommunications plc
> >>> Registered office: 81 Newgate Street London EC1A 7AJ
> >>> Registered in England no: 1800000
> >>>
> >>> _______________________________________________
> >>> sunset4 mailing list
> >>> sunset4@ietf.org <mailto:sunset4@ietf.org>
> >>> https://www.ietf.org/mailman/listinfo/sunset4
> >> <https://www.ietf.org/mailman/listinfo/sunset4>
> >
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
> > _______________________________________________
> > sunset4 mailing list
> > sunset4@ietf.org
> > https://www.ietf.org/mailman/listinfo/sunset4
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email