IETF Logo Mail Archive

Re: [sunset4] [DNSOP] New Version Notification for draft-palet-sunset4-ipv6-ready-dns-00.txt

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Sun, 26 November 2017 09:21 UTC

Return-Path: <prvs=1503e18523=jordi.palet@consulintel.es>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A0BD1293D9 for <sunset4@ietfa.amsl.com>; Sun, 26 Nov 2017 01:21:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es; domainkeys=pass (1024-bit key) header.from=jordi.palet@consulintel.es header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnU6NKo_QQiE for <sunset4@ietfa.amsl.com>; Sun, 26 Nov 2017 01:21:11 -0800 (PST)
Received: from mail.consulintel.es (mail.consulintel.es [217.126.185.215]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94B4120721 for <sunset4@ietf.org>; Sun, 26 Nov 2017 01:21:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1511688064; x=1512292864; q=dns/txt; h=DomainKey-Signature: Received:User-Agent:Date:Subject:From:To:CC:Message-ID: Thread-Topic:References:In-Reply-To:Mime-version:Content-type: Content-transfer-encoding:Reply-To; bh=5zm0amV/EbtSaM/xWFPtEQxAl 3fWlllZ+2OAbwn9ojc=; b=O1G1MOJhkGfgbOHFM1z/XHaZvwdMZMjgNlwBZEn3Y JfheQcFJfqygwY368CWmI1cmTlOtNSyF3gXnN+1cm8T6WVJ2DvEJZ09Tot6357W2 hKH2vI0a+d0fIvFl82u5fSMrfO05CiVNAUqOrluqbfPYUX0u6Oa8d2A6qeBgi4kK ak=
DomainKey-Signature: a=rsa-sha1; s=MDaemon; d=consulintel.es; c=simple; q=dns; h=from:message-id; b=R5GMOVdzOSPZwt9O+4zl0MagquAZATorUwBA+Hnzf6GJNTEcoKgPqkhrx4yp AEKU9nLs+GM4qc84Es5j8jMWEOPVKe6NPt0ShbENYkuEb0m3nUajYVEfH VUb5VL9j3hWuT9sVCnTxq7ukruMXgXznbtQd3nuayX2LyKspzkAOLI=;
X-MDAV-Processed: mail.consulintel.es, Sun, 26 Nov 2017 10:20:59 +0100
X-Spam-Processed: mail.consulintel.es, Sun, 26 Nov 2017 10:20:57 +0100
Received: from [10.10.10.133] by mail.consulintel.es (MDaemon PRO v11.0.3) with ESMTP id md50005638812.msg for <sunset4@ietf.org>; Sun, 26 Nov 2017 10:20:48 +0100
X-MDOP-RefID: re=0.000,fgs=0 (_st=1 _vt=0 _iwf=0)
X-Authenticated-Sender: jordi.palet@consulintel.es
X-HashCash: 1:20:171126:md50005638812::Jqhau2aUC5bQD02e:00005a46
X-Return-Path: prvs=1503e18523=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: sunset4@ietf.org
User-Agent: Microsoft-MacOutlook/f.27.0.171010
Date: Sun, 26 Nov 2017 10:20:40 +0100
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: sunset4@ietf.org
CC: Daniel Karrenberg <daniel@karrenberg.net>
Message-ID: <42D899A2-9220-4689-971B-9C064F98C05B@consulintel.es>
Thread-Topic: [sunset4] [DNSOP] New Version Notification for draft-palet-sunset4-ipv6-ready-dns-00.txt
References: <151155545267.9162.17152586924934799206.idtracker@ietfa.amsl.com> <B0A6AF83-099A-4D4D-83EB-BA4B45D00353@consulintel.es> <2E863078-8E32-4657-B1F4-0417A0C95A05@consulintel.es> <18C3DFC8-45B9-4C41-8151-ACA840F00518@gmail.com> <9B47C38D-B446-466F-BE88-DD09E40814B3@hopcount.ca>
In-Reply-To: <9B47C38D-B446-466F-BE88-DD09E40814B3@hopcount.ca>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Reply-To: jordi.palet@consulintel.es
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/qM5Em0FZTN0Jnd6V8UQEjwr7Avc>
Subject: Re: [sunset4] [DNSOP] New Version Notification for draft-palet-sunset4-ipv6-ready-dns-00.txt
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Nov 2017 09:21:12 -0000

Hi Joe,

As I just mention, it is pity that the ccTLDs can opt-out that policy.

What I don’t think is that, if the gTLDs have such requirement in the contract, they are actually enforcing it?

Do you have pointers to relevant documents to understand what are the exact requirements and why is not being enforced?

My perspective is that end-users, in their LANs, will have IPv4 for a while, but the access may turn into IPv6-only sooner. End-users have devices such as IP cameras and many others, that cost money, and they will not be sent to the trash can in several years (5-10 years?). So even if the resolvers aren’t IPv6-capable, is not an issue, but want we need to avoid is the situation of having a service in Internet which is NOT-IPv6 enabled and breaks (example breaks DNSSEC) using the transition mechanism required for having an IPv6-only access but IPv4 support in the LAN (for example 464XLAT with NAT64). The same solution I’m proposing, actually helps to have IPv6-only LANs, of course, so in the way to a complete IPv6-only Internet.

I think including in my ID a sunset for IPv4 in root and TLDs (again even if ccTLDs can opt-out), is interesting and definitively will be an extra “push” in the right direction. I will include that in a new version.

I think we can have something like this:

1.  Root and TLDs MUST be IPv6-Ready in 6 months.

2.  Authoritative NS MUST be IPv6-Ready in 12 months.

3. Root and TLDs MUST drop IPv4 support in 15 months.

4.  DNSSEC authoritative MUST be IPv6-Ready in 18 months.

5.  Other A RRs, MUST be IPv6-Ready in 24 months.

6.  Other RRs, MUST be IPv6-Ready in 30 months.

If you don’t mind, I will steal your technical motivations in my text, I didn’t considered initially in my document extending too much in the “technical” reasons, but it looks like a better way to justify the need for this additional step.

Regards,
Jordi
 

-----Mensaje original-----
De: sunset4 <sunset4-bounces@ietf.org> en nombre de Joe Abley <jabley@hopcount.ca>
Responder a: <jabley@hopcount.ca>
Fecha: domingo, 26 de noviembre de 2017, 0:47
Para: Fred Baker <fredbaker.ietf@gmail.com>
CC: "v6ops@ietf.org WG" <v6ops@ietf.org>, <6man@ietf.org>, Daniel Karrenberg <daniel@karrenberg.net>, <dnsop@ietf.org>, <sunset4@ietf.org>, JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
Asunto: Re: [sunset4] [DNSOP] New Version Notification for draft-palet-sunset4-ipv6-ready-dns-00.txt

    Hi Fred,
    
    [I haven't read Jordi's draft; I'm just responding to what I've read in this thread.]
    
    On Nov 25, 2017, at 14:00, Fred Baker <fredbaker.ietf@gmail.com> wrote:
    
    > One thing you might want to think about: the root servers are all IPv6-capable today and serve requests using IPv6, and the 1541 TLDs are all required by contract with ICANN to be IPv6-capable. I think you'll find yourself holding the burden of proof that the infrastructure isn't capable of IPv6-only operation today.
    
    monster:~]% egrep -c '^[A-Z]' /usr/share/misc/iso3166 
    249
    [monster:~]% 
    
    There are potentially 249 TLDs that are not operated under any such contract with ICANN, although I agree that the majority of ccTLDs have at least one nameserver that is v6-capable (maybe all, but I haven't checked and I wouldn't want to assume).
    
    The important clients for all of these authoritative servers from the perspective of end-users are resolvers. I think it's uncontroversial to suggest without citation that not all resolvers used by end-users today are v6-capable, or downstream from a resolver that is v6-capable. So we are not ready to turn off v4 today unless significant collateral damage is considered acceptable (and surely it's not).
    
    This is a relatively small problem to solve, though (note use of "relatively"). I think it would actually be practical to announce a sunset for v4 on gTLD and root servers at some suitable target date in the not too distant future, the implementation of which could be mainly handled within the root zone itself.
    
    Aside from the techno-political v6-deployment motivations, I think there would be good engineering reasons to sunset v4 in root and TLD servers.
    
    Such a move would open the door to the complete removal of v4 transport from all of those servers which would eliminate them as viable amplifiers in attacks against v4 targets. It would also provide greater motivation to deal with any unreliability in v6 operations in the DNS or connecting networks, fragmentation-related transport issues, etc which will surely otherwise see minimal attention so long as working v4 transport masks v6 problems.
    
    
    Joe
    _______________________________________________
    sunset4 mailing list
    sunset4@ietf.org
    https://www.ietf.org/mailman/listinfo/sunset4
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email