Re: [sunset4] future of dnssec?
Mark Andrews <marka@isc.org> Wed, 22 February 2017 21:03 UTC
Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4E2129B41 for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:03:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQbNcoPA0Zcp for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:03:15 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276C2129AAA for <sunset4@ietf.org>; Wed, 22 Feb 2017 13:03:15 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BEA863494FE; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A3A91160048; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9126716006D; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dR40f4WGH3sU; Wed, 22 Feb 2017 21:03:11 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C3998160048; Wed, 22 Feb 2017 21:03:10 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 97EB36455CD0; Thu, 23 Feb 2017 08:03:05 +1100 (EST)
To: Marc Blanchet <marc.blanchet@viagenie.ca>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>
In-reply-to: Your message of "Wed, 22 Feb 2017 10:00:30 -0500." <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>
Date: Thu, 23 Feb 2017 08:03:05 +1100
Message-Id: <20170222210305.97EB36455CD0@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/HZk6Rm_QOEBqgly6ZhbxTRJQsqg>
Cc: "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 21:03:16 -0000
In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc Blanchet" writes: > On 22 Feb 2017, at 9:36, Mark Andrews wrote: > > > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted Lemon > > writes: > >> > >> Nick, the solution to this is to do DNS64 in the validator. If the > >> validator is a stub resolver, do the DNS64 hack there. AFAIK the > >> technology to support this already exists. > > > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > > > Go do the comparitive analysis. > > I respectfully disagree. dual-stack incur many additional costs > operationally. deploying v6only infrastructure is more cost effective, > specially over the long run. nowadays, statistics show that a large > amount of trafic could be carried over IPv6, which means then that you > « just » need to care about the tail of the IPv4-only destinations, > which is where nat64/dns64 comes. But I guess you know all this. Stop with the knee jerk reactions. What gave you the idea that I wasn't talking about IPv6-only networks? So use DS-LITE in HOST MODE. The only DS with that is in the host which you cannot avoid if you are using IPv4 literals or is that too much dual stack. A little bit inside the node with a fixed IPv4 address. No routing. No address assignments. As I said NAT64/DNS64 does not provide any benefits that are not available via other IPv4 as a service mechanisms with the added benefit that you don't have to teach applications / OS stack about DNS64 prefix discovery to deal with IPv6 literals. For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator in the DNS path needs to be taught how to do DNS64 prefix discovery and therefor that it need to lie about AAAA results whether or not they are going to be used for a IPv6 connection or not. Mark > Marc. > > > > >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk> > >> wrote: > >>> > >>> Post exhaustion, the majority of cellular networks and some public > >>> wifi > >> networks will use DNS64. > >>> DNSSEC and DNS64 do not get along. DNSSEC for âA records onlyâ > >>> is > >> broken. > >>> Is this the reason why all content must go v6? > >>> Or is the case for DNSSEC still questionable? > >>> Or do end hosts need to perform DNS64 so âDNSSEC for A records > >>> onlyâ > >> can be intact? > >>> > >>> NOTICE AND DISCLAIMER > >>> This email contains BT information, which may be privileged or > >> confidential. It's meant only for the individual(s) or entity named > >> above. > >>> If you're not the intended recipient, note that disclosing, copying, > >> distributing or using this information is prohibited. > >>> If you've received this email in error, please let me know > >>> immediately > >> on the email address above. Thank you. > >>> > >>> We monitor our email system, and may record your emails. > >>> > >>> EE Limited > >>> Registered office:Trident Place, Mosquito Way, Hatfield, > >>> Hertfordshire, > >> AL10 9BW > >>> Registered in England no: 02382161 > >>> > >>> EE Limited is a wholly owned subsidiary of: > >>> > >>> British Telecommunications plc > >>> Registered office: 81 Newgate Street London EC1A 7AJ > >>> Registered in England no: 1800000 > >>> > >>> _______________________________________________ > >>> sunset4 mailing list > >>> sunset4@ietf.org <mailto:sunset4@ietf.org> > >>> https://www.ietf.org/mailman/listinfo/sunset4 > >> <https://www.ietf.org/mailman/listinfo/sunset4> > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Ca By
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Marc Blanchet
- Re: [sunset4] future of dnssec? Ca By
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Philip Homburg
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Michael Richardson
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Sander Steffann
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Sander Steffann
- Re: [sunset4] future of dnssec? Mark Andrews