IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Mark Andrews <marka@isc.org> Thu, 23 February 2017 20:19 UTC

Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71F1A129A9A for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 12:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYZDdzv5Y_eu for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 12:19:25 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D173C129A8B for <sunset4@ietf.org>; Thu, 23 Feb 2017 12:19:24 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 14F23349415; Thu, 23 Feb 2017 20:19:22 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EA1BC16004F; Thu, 23 Feb 2017 20:19:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D2A3C160070; Thu, 23 Feb 2017 20:19:21 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GZPcDMuVHFyU; Thu, 23 Feb 2017 20:19:21 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3B7CE16004F; Thu, 23 Feb 2017 20:19:21 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 3BEDA6470D6F; Fri, 24 Feb 2017 07:19:18 +1100 (EST)
To: Sander Steffann <sander@steffann.nl>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <AC554B0E-709B-474D-97BD-C2518CED2266@fugue.com> <6E387159-A35B-487D-9818-0325E072E865@steffann.nl>
In-reply-to: Your message of "Thu, 23 Feb 2017 18:38:10 +0100." <6E387159-A35B-487D-9818-0325E072E865@steffann.nl>
Date: Fri, 24 Feb 2017 07:19:18 +1100
Message-Id: <20170223201918.3BEDA6470D6F@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/N85tN86eNdmwWv0SJDb6eIwEt9E>
Cc: "Heatley, Nick" <nick.heatley@ee.co.uk>, Ted Lemon <mellon@fugue.com>, "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 20:19:26 -0000

In message <6E387159-A35B-487D-9818-0325E072E865@steffann.nl>, Sander Steffann 
writes:
>
> Hi,
>
> > Op 22 feb. 2017, om 17:35 heeft Ted Lemon <mellon@fugue.com> het
> volgende geschreven:
> >
> > On Feb 22, 2017, at 9:36 AM, Mark Andrews <marka@isc.org> wrote:
> >> DNS64 really should just be made historic.  It does not work with
> >> DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They
> >> provides NO BENEFIT over other methods.  Every proported benefit
> >> turns out not to exist.
> >
> > (A) I find NAT64 to be a very convenient solution, and best of all it
> tests IPv6 functionality in apps, so I know which apps will not work on a
> v6-only network.
> > (B) DNS64 works _fine_ with DNSSEC as long as you do the DNS64
> translation _after you validate_.
>
> This.
>
> I have tested different implementations and used others that work like
> this, and it works fine. I'm at Cisco Live in Berlin and I have been
> behind a DNSSEC validating NAT64 resolver the whole week (thanks to Jan
> Žorž for providing it!).

I presume the configuration was:

Internet <-> ISP validating DNS64 <-> clients.

That's the trivial configuration.

You need to think about all the other ways networks are set up today.

Internet <-> ISP validating DNS64 <-> validating recursive server <-> clients.
Internet <-> ISP validating DNS64 <-> validating recursive server <-> validating clients.

then to get them to work you need to add DNS64 prefix learning to every
validating device in the path.

How often does the validating recursive server attempt to do DNS64
prefix discovery?  Every time it gets a NODATA to AAAA lookups?
Even one non-DNS64 prefix discovering validating resolver in the
path breaks DNS64 for everything behind it.  Fiddling with DO and
CD doesn't get the synthesised DNS64 records through a non-DNS64
prefix discovery aware validating resolver.

Then there are clients that do

Internet <-> 8.8.8.8 <-> validating recursive server <-> validating clients.

How do they learn the DNS64 prefix?  Too many ISP's mangle DNS to
trust responses from them.

Mark

> Cheers,
> Sander

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email