IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Mark Andrews <marka@isc.org> Thu, 23 February 2017 22:38 UTC

Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 424C0129BB1 for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 14:38:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWvsaiymzR3Z for <sunset4@ietfa.amsl.com>; Thu, 23 Feb 2017 14:38:03 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03BBB129B9F for <sunset4@ietf.org>; Thu, 23 Feb 2017 14:38:03 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id C020A3493CF; Thu, 23 Feb 2017 22:38:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id AA0B8160071; Thu, 23 Feb 2017 22:38:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 99087160070; Thu, 23 Feb 2017 22:38:00 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id s42L8mSa5kNY; Thu, 23 Feb 2017 22:38:00 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 1ED2716004F; Thu, 23 Feb 2017 22:38:00 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 936076472B6B; Fri, 24 Feb 2017 09:37:53 +1100 (EST)
To: Sander Steffann <sander@steffann.nl>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <AC554B0E-709B-474D-97BD-C2518CED2266@fugue.com> <6E387159-A35B-487D-9818-0325E072E865@steffann.nl> <20170223201918.3BEDA6470D6F@rock.dv.isc.org> <391350BB-2100-4D43-8F3D-0F63FCC7AEC7@steffann.nl>
In-reply-to: Your message of "Thu, 23 Feb 2017 23:06:14 +0100." <391350BB-2100-4D43-8F3D-0F63FCC7AEC7@steffann.nl>
Date: Fri, 24 Feb 2017 09:37:53 +1100
Message-Id: <20170223223753.936076472B6B@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/RMDGdtEEWtTM2g5it5VrZqCYUmc>
Cc: "Heatley, Nick" <nick.heatley@ee.co.uk>, Ted Lemon <mellon@fugue.com>, "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 22:38:04 -0000

In message <391350BB-2100-4D43-8F3D-0F63FCC7AEC7@steffann.nl>, Sander Steffann 
writes:
> Hi Mark,
>
> > I presume the configuration was:
> >
> > Internet <-> ISP validating DNS64 <-> clients.
>
> Correct
>
> > That's the trivial configuration.
> >
> > You need to think about all the other ways networks are set up today.
> >
> > Internet <-> ISP validating DNS64 <-> validating recursive server <->
> clients.
> > Internet <-> ISP validating DNS64 <-> validating recursive server <->
> validating clients.
>
> Those setups are so uncommon in the places where DNS64 is used that it
> causes no problems.

Except people seem to think that NAT64/DNS64 and 464XLAT is a good
future solution to the places where the above without DNS64 is
currently in use today.

We need to be delivering tech today that will work when the ISPs
that are currently IPv4-only or dual stack today become IPv6-only
tomorrow.  Those ISPs have people with validating resolvers that
point at the ISP's resolvers or they point to resolvers like Google's
8.8.8.8 service or they just talk directly to the root servers.
Not all of those validating resolvers are on border routers.

Now the resolvers that use 8.8.8.8 just need to add 2001:4860:4860::8888
to the list of forwarders to work in a IPv6-only environment.

Those that talk directly to the root need to add a server of last
resort like 2001:4860:4860::8888 so they can lookup data from zones
with IPv4 only servers.  We added code to our nameserver product
over a decade ago to support this sort of behaviour.  We knew that
recursive servers would end up behind IPv6-only links that needed
to lookup data from IPv4-only zones.

Mark

> I realise that there are plenty of ways this can break, but in reality it
> works pretty well. But I agree it's a hack and the sooner we can get rid
> of IPv4 the better. In that context I'll happily use it.
>
> Cheers,
> Sander
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email