Re: [sunset4] future of dnssec?
Mark Andrews <marka@isc.org> Wed, 22 February 2017 21:14 UTC
Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FB0129B61 for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:14:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPOl5YkJbmhe for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:14:55 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 455F1129B50 for <sunset4@ietf.org>; Wed, 22 Feb 2017 13:14:55 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 03309349422; Wed, 22 Feb 2017 21:14:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DB497160048; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B654F16006D; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JMsakJRCmovm; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 951C1160048; Wed, 22 Feb 2017 21:14:50 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 04FD06455DBF; Thu, 23 Feb 2017 08:14:47 +1100 (EST)
To: Ca By <cb.list6@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
In-reply-to: Your message of "Wed, 22 Feb 2017 16:19:40 -0000." <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
Date: Thu, 23 Feb 2017 08:14:46 +1100
Message-Id: <20170222211447.04FD06455DBF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/waAdDUVrgq3_Poi48Xy5Dp0gRMI>
Cc: "Heatley, Nick" <nick.heatley@ee.co.uk>, Ted Lemon <mellon@fugue.com>, "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 21:14:57 -0000
In message <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com> , Ca By writes: > --f403045f4faec156e8054920dd00 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > On Wed, Feb 22, 2017 at 6:36 AM Mark Andrews <marka@isc.org> wrote: > > > > > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted Lemon > > writes: > > > > > > Nick, the solution to this is to do DNS64 in the validator. If the > > > validator is a stub resolver, do the DNS64 hack there. AFAIK the > > > technology to support this already exists. > > > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > > > Go do the comparitive analysis. > > > From a network with 10s of millions of nat64 users and zero dnssec, I > disagree and suggest dnssec move to historic since it is a ddos attack > vector and provides no privacy element and generally weak cryto ... also it > has caused many wide scale outages for networks that have elected to use > it. Well I was meaning to compare with other IPv4 as a service solutions but if you want to go here. DNSSEC issues are really no worse that any other DNS delegation misconfigurations that happen. Have you actually run behind a valdating DNSSEC resolver or are you looking in from the outside. DNSSEC really isn't that hard to do right. I've actually been running behind DNSSEC validating resolvers for a decade now using DNS data that is signed all the way down. Mark > > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk> > > > wrote: > > > > > > > > Post exhaustion, the majority of cellular networks and some public wi= > fi > > > networks will use DNS64. > > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only= > =E2=80=9D is > > > broken. > > > > Is this the reason why all content must go v6? > > > > Or is the case for DNSSEC still questionable? > > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A record= > s only=E2=80=9D > > > can be intact? > > > > > > > > NOTICE AND DISCLAIMER > > > > This email contains BT information, which may be privileged or > > > confidential. It's meant only for the individual(s) or entity named > > > above. > > > > If you're not the intended recipient, note that disclosing, copying, > > > distributing or using this information is prohibited. > > > > If you've received this email in error, please let me know immediatel= > y > > > on the email address above. Thank you. > > > > > > > > We monitor our email system, and may record your emails. > > > > > > > > EE Limited > > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshir= > e, > > > AL10 9BW > > > > Registered in England no: 02382161 > > > > > > > > EE Limited is a wholly owned subsidiary of: > > > > > > > > British Telecommunications plc > > > > Registered office: 81 Newgate Street London EC1A 7AJ > > > > Registered in England no: 1800000 > > > > > > > > _______________________________________________ > > > > sunset4 mailing list > > > > sunset4@ietf.org <mailto:sunset4@ietf.org> > > > > https://www.ietf.org/mailman/listinfo/sunset4 > > > <https://www.ietf.org/mailman/listinfo/sunset4> > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > --f403045f4faec156e8054920dd00 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div><br><div class=3D"gmail_quote"><div>On Wed, Feb 22, 2017 at 6:36 AM Ma= > rk Andrews <<a href=3D"mailto:marka@isc.org">marka@isc.org</a>> wrote= > :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor= > der-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_msg"> > In message <<a href=3D"mailto:B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue= > .com" class=3D"gmail_msg" target=3D"_blank">B5E8C545-55B9-4ECB-B0C8-C3EEFEE= > CD320@fugue.com</a>>, Ted Lemon writes:<br class=3D"gmail_msg"> > ><br class=3D"gmail_msg"> > > Nick, the solution to this is to do DNS64 in the validator.=C2=A0 =C2= > =A0If the<br class=3D"gmail_msg"> > > validator is a stub resolver, do the DNS64 hack there.=C2=A0 =C2=A0AFA= > IK the<br class=3D"gmail_msg"> > > technology to support this already exists.<br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > DNS64 really should just be made historic.=C2=A0 It does not work with<br c= > lass=3D"gmail_msg"> > DNSSEC.=C2=A0 There has NEVER been a NEED for NAT64 or DNS64.=C2=A0 They<br= > class=3D"gmail_msg"> > provides NO BENEFIT over other methods.=C2=A0 Every proported benefit<br cl= > ass=3D"gmail_msg"> > turns out not to exist.<br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > Go do the comparitive analysis.</blockquote><div><br></div><div>From a netw= > ork with 10s of millions of nat64 users and zero dnssec, I disagree and sug= > gest dnssec move to historic since it is a ddos attack vector and provides = > no privacy element and generally weak cryto ... also it has caused many wid= > e scale outages for networks that have elected to use it.=C2=A0</div><div><= > br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0= > 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_m= > sg"> > <br class=3D"gmail_msg"> > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <<a href=3D"mailto:= > nick.heatley@ee.co.uk" class=3D"gmail_msg" target=3D"_blank">nick.heatley@e= > e.co.uk</a>><br class=3D"gmail_msg"> > > wrote:<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > Post exhaustion, the majority of cellular networks and some publi= > c wifi<br class=3D"gmail_msg"> > > networks will use DNS64.<br class=3D"gmail_msg"> > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = > only=E2=80=9D is<br class=3D"gmail_msg"> > > broken.<br class=3D"gmail_msg"> > > > Is this the reason why all content must go v6?<br class=3D"gmail_= > msg"> > > > Or is the case for DNSSEC still questionable?<br class=3D"gmail_m= > sg"> > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A re= > cords only=E2=80=9D<br class=3D"gmail_msg"> > > can be intact?<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > NOTICE AND DISCLAIMER<br class=3D"gmail_msg"> > > > This email contains BT information, which may be privileged or<br= > class=3D"gmail_msg"> > > confidential. It's meant only for the individual(s) or entity name= > d<br class=3D"gmail_msg"> > > above.<br class=3D"gmail_msg"> > > > If you're not the intended recipient, note that disclosing, c= > opying,<br class=3D"gmail_msg"> > > distributing or using this information is prohibited.<br class=3D"gmai= > l_msg"> > > > If you've received this email in error, please let me know im= > mediately<br class=3D"gmail_msg"> > > on the email address above. Thank you.<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > We monitor our email system, and may record your emails.<br class= > =3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > EE Limited<br class=3D"gmail_msg"> > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertford= > shire,<br class=3D"gmail_msg"> > > AL10 9BW<br class=3D"gmail_msg"> > > > Registered in England no: 02382161<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > EE Limited is a wholly owned subsidiary of:<br class=3D"gmail_msg= > "> > > ><br class=3D"gmail_msg"> > > > British Telecommunications plc<br class=3D"gmail_msg"> > > > Registered office: 81 Newgate Street London EC1A 7AJ<br class=3D"= > gmail_msg"> > > > Registered in England no: 1800000<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > _______________________________________________<br class=3D"gmail= > _msg"> > > > sunset4 mailing list<br class=3D"gmail_msg"> > > > <a href=3D"mailto:sunset4@ietf.org" class=3D"gmail_msg" target=3D= > "_blank">sunset4@ietf.org</a> <mailto:<a href=3D"mailto:sunset4@ietf.org= > " class=3D"gmail_msg" target=3D"_blank">sunset4@ietf.org</a>><br class= > =3D"gmail_msg"> > > > <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"= > noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mail= > man/listinfo/sunset4</a><br class=3D"gmail_msg"> > > <<a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"n= > oreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailm= > an/listinfo/sunset4</a>><br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > --<br class=3D"gmail_msg"> > Mark Andrews, ISC<br class=3D"gmail_msg"> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br class=3D"gmail_msg"> > PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > =A0 =C2=A0INTERNET: <a href=3D"mailto:marka@isc.org" class=3D"gmail_msg" ta= > rget=3D"_blank">marka@isc.org</a><br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > _______________________________________________<br class=3D"gmail_msg"> > sunset4 mailing list<br class=3D"gmail_msg"> > <a href=3D"mailto:sunset4@ietf.org" class=3D"gmail_msg" target=3D"_blank">s= > unset4@ietf.org</a><br class=3D"gmail_msg"> > <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"noreferrer= > " class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listin= > fo/sunset4</a><br class=3D"gmail_msg"> > </blockquote></div></div> > > --f403045f4faec156e8054920dd00-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Ca By
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Marc Blanchet
- Re: [sunset4] future of dnssec? Ca By
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Philip Homburg
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Michael Richardson
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Ted Lemon
- Re: [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Heatley, Nick
- Re: [sunset4] future of dnssec? Sander Steffann
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Mark Andrews
- Re: [sunset4] future of dnssec? Sander Steffann
- Re: [sunset4] future of dnssec? Mark Andrews