IETF Logo Mail Archive

Re: [sunset4] future of dnssec?

Mark Andrews <marka@isc.org> Wed, 22 February 2017 21:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FB0129B61 for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:14:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPOl5YkJbmhe for <sunset4@ietfa.amsl.com>; Wed, 22 Feb 2017 13:14:55 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 455F1129B50 for <sunset4@ietf.org>; Wed, 22 Feb 2017 13:14:55 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 03309349422; Wed, 22 Feb 2017 21:14:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DB497160048; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B654F16006D; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JMsakJRCmovm; Wed, 22 Feb 2017 21:14:51 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 951C1160048; Wed, 22 Feb 2017 21:14:50 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 04FD06455DBF; Thu, 23 Feb 2017 08:14:47 +1100 (EST)
To: Ca By <cb.list6@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com> <20170222143629.9E9C56454B08@rock.dv.isc.org> <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
In-reply-to: Your message of "Wed, 22 Feb 2017 16:19:40 -0000." <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
Date: Thu, 23 Feb 2017 08:14:46 +1100
Message-Id: <20170222211447.04FD06455DBF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sunset4/waAdDUVrgq3_Poi48Xy5Dp0gRMI>
Cc: "Heatley, Nick" <nick.heatley@ee.co.uk>, Ted Lemon <mellon@fugue.com>, "sunset4@ietf.org" <sunset4@ietf.org>
Subject: Re: [sunset4] future of dnssec?
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 21:14:57 -0000

In message <CAD6AjGS9gF3AX_EXo8fbii-TYFhHa6CdUkxEQXjvOdQsXSxhrw@mail.gmail.com>
, Ca By writes:
> --f403045f4faec156e8054920dd00
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> On Wed, Feb 22, 2017 at 6:36 AM Mark Andrews <marka@isc.org> wrote:
> 
> >
> > In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue.com>, Ted Lemon
> > writes:
> > >
> > > Nick, the solution to this is to do DNS64 in the validator.   If the
> > > validator is a stub resolver, do the DNS64 hack there.   AFAIK the
> > > technology to support this already exists.
> >
> > DNS64 really should just be made historic.  It does not work with
> > DNSSEC.  There has NEVER been a NEED for NAT64 or DNS64.  They
> > provides NO BENEFIT over other methods.  Every proported benefit
> > turns out not to exist.
> >
> > Go do the comparitive analysis.
> 
> 
> From a network with 10s of millions of nat64 users and zero dnssec, I
> disagree and suggest dnssec move to historic since it is a ddos attack
> vector and provides no privacy element and generally weak cryto ... also it
> has caused many wide scale outages for networks that have elected to use
> it.

Well I was meaning to compare with other IPv4 as a service solutions
but if you want to go here.

DNSSEC issues are really no worse that any other DNS delegation
misconfigurations that happen.  Have you actually run behind a
valdating DNSSEC resolver or are you looking in from the outside.
DNSSEC really isn't that hard to do right.  I've actually been
running behind DNSSEC validating resolvers for a decade now using
DNS data that is signed all the way down.

Mark

> > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk>
> > > wrote:
> > > >
> > > > Post exhaustion, the majority of cellular networks and some public wi=
> fi
> > > networks will use DNS64.
> > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only=
> =E2=80=9D is
> > > broken.
> > > > Is this the reason why all content must go v6?
> > > > Or is the case for DNSSEC still questionable?
> > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A record=
> s only=E2=80=9D
> > > can be intact?
> > > >
> > > > NOTICE AND DISCLAIMER
> > > > This email contains BT information, which may be privileged or
> > > confidential. It's meant only for the individual(s) or entity named
> > > above.
> > > > If you're not the intended recipient, note that disclosing, copying,
> > > distributing or using this information is prohibited.
> > > > If you've received this email in error, please let me know immediatel=
> y
> > > on the email address above. Thank you.
> > > >
> > > > We monitor our email system, and may record your emails.
> > > >
> > > > EE Limited
> > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshir=
> e,
> > > AL10 9BW
> > > > Registered in England no: 02382161
> > > >
> > > > EE Limited is a wholly owned subsidiary of:
> > > >
> > > > British Telecommunications plc
> > > > Registered office: 81 Newgate Street London EC1A 7AJ
> > > > Registered in England no: 1800000
> > > >
> > > > _______________________________________________
> > > > sunset4 mailing list
> > > > sunset4@ietf.org <mailto:sunset4@ietf.org>
> > > > https://www.ietf.org/mailman/listinfo/sunset4
> > > <https://www.ietf.org/mailman/listinfo/sunset4>
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
> > _______________________________________________
> > sunset4 mailing list
> > sunset4@ietf.org
> > https://www.ietf.org/mailman/listinfo/sunset4
> >
> 
> --f403045f4faec156e8054920dd00
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div><br><div class=3D"gmail_quote"><div>On Wed, Feb 22, 2017 at 6:36 AM Ma=
> rk Andrews &lt;<a href=3D"mailto:marka@isc.org">marka@isc.org</a>&gt; wrote=
> :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
> der-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_msg">
> In message &lt;<a href=3D"mailto:B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue=
> .com" class=3D"gmail_msg" target=3D"_blank">B5E8C545-55B9-4ECB-B0C8-C3EEFEE=
> CD320@fugue.com</a>&gt;, Ted Lemon writes:<br class=3D"gmail_msg">
> &gt;<br class=3D"gmail_msg">
> &gt; Nick, the solution to this is to do DNS64 in the validator.=C2=A0 =C2=
> =A0If the<br class=3D"gmail_msg">
> &gt; validator is a stub resolver, do the DNS64 hack there.=C2=A0 =C2=A0AFA=
> IK the<br class=3D"gmail_msg">
> &gt; technology to support this already exists.<br class=3D"gmail_msg">
> <br class=3D"gmail_msg">
> DNS64 really should just be made historic.=C2=A0 It does not work with<br c=
> lass=3D"gmail_msg">
> DNSSEC.=C2=A0 There has NEVER been a NEED for NAT64 or DNS64.=C2=A0 They<br=
>  class=3D"gmail_msg">
> provides NO BENEFIT over other methods.=C2=A0 Every proported benefit<br cl=
> ass=3D"gmail_msg">
> turns out not to exist.<br class=3D"gmail_msg">
> <br class=3D"gmail_msg">
> Go do the comparitive analysis.</blockquote><div><br></div><div>From a netw=
> ork with 10s of millions of nat64 users and zero dnssec, I disagree and sug=
> gest dnssec move to historic since it is a ddos attack vector and provides =
> no privacy element and generally weak cryto ... also it has caused many wid=
> e scale outages for networks that have elected to use it.=C2=A0</div><div><=
> br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
>  0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_m=
> sg">
> <br class=3D"gmail_msg">
> &gt; &gt; On Feb 22, 2017, at 7:23 AM, Heatley, Nick &lt;<a href=3D"mailto:=
> nick.heatley@ee.co.uk" class=3D"gmail_msg" target=3D"_blank">nick.heatley@e=
> e.co.uk</a>&gt;<br class=3D"gmail_msg">
> &gt; wrote:<br class=3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; Post exhaustion, the majority of cellular networks and some publi=
> c wifi<br class=3D"gmail_msg">
> &gt; networks will use DNS64.<br class=3D"gmail_msg">
> &gt; &gt; DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records =
> only=E2=80=9D is<br class=3D"gmail_msg">
> &gt; broken.<br class=3D"gmail_msg">
> &gt; &gt; Is this the reason why all content must go v6?<br class=3D"gmail_=
> msg">
> &gt; &gt; Or is the case for DNSSEC still questionable?<br class=3D"gmail_m=
> sg">
> &gt; &gt; Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A re=
> cords only=E2=80=9D<br class=3D"gmail_msg">
> &gt; can be intact?<br class=3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; NOTICE AND DISCLAIMER<br class=3D"gmail_msg">
> &gt; &gt; This email contains BT information, which may be privileged or<br=
>  class=3D"gmail_msg">
> &gt; confidential. It&#39;s meant only for the individual(s) or entity name=
> d<br class=3D"gmail_msg">
> &gt; above.<br class=3D"gmail_msg">
> &gt; &gt; If you&#39;re not the intended recipient, note that disclosing, c=
> opying,<br class=3D"gmail_msg">
> &gt; distributing or using this information is prohibited.<br class=3D"gmai=
> l_msg">
> &gt; &gt; If you&#39;ve received this email in error, please let me know im=
> mediately<br class=3D"gmail_msg">
> &gt; on the email address above. Thank you.<br class=3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; We monitor our email system, and may record your emails.<br class=
> =3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; EE Limited<br class=3D"gmail_msg">
> &gt; &gt; Registered office:Trident Place, Mosquito Way, Hatfield, Hertford=
> shire,<br class=3D"gmail_msg">
> &gt; AL10 9BW<br class=3D"gmail_msg">
> &gt; &gt; Registered in England no: 02382161<br class=3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; EE Limited is a wholly owned subsidiary of:<br class=3D"gmail_msg=
> ">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; British Telecommunications plc<br class=3D"gmail_msg">
> &gt; &gt; Registered office: 81 Newgate Street London EC1A 7AJ<br class=3D"=
> gmail_msg">
> &gt; &gt; Registered in England no: 1800000<br class=3D"gmail_msg">
> &gt; &gt;<br class=3D"gmail_msg">
> &gt; &gt; _______________________________________________<br class=3D"gmail=
> _msg">
> &gt; &gt; sunset4 mailing list<br class=3D"gmail_msg">
> &gt; &gt; <a href=3D"mailto:sunset4@ietf.org" class=3D"gmail_msg" target=3D=
> "_blank">sunset4@ietf.org</a> &lt;mailto:<a href=3D"mailto:sunset4@ietf.org=
> " class=3D"gmail_msg" target=3D"_blank">sunset4@ietf.org</a>&gt;<br class=
> =3D"gmail_msg">
> &gt; &gt; <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"=
> noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mail=
> man/listinfo/sunset4</a><br class=3D"gmail_msg">
> &gt; &lt;<a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"n=
> oreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailm=
> an/listinfo/sunset4</a>&gt;<br class=3D"gmail_msg">
> <br class=3D"gmail_msg">
> --<br class=3D"gmail_msg">
> Mark Andrews, ISC<br class=3D"gmail_msg">
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br class=3D"gmail_msg">
> PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0 =C2=A0INTERNET: <a href=3D"mailto:marka@isc.org" class=3D"gmail_msg" ta=
> rget=3D"_blank">marka@isc.org</a><br class=3D"gmail_msg">
> <br class=3D"gmail_msg">
> _______________________________________________<br class=3D"gmail_msg">
> sunset4 mailing list<br class=3D"gmail_msg">
> <a href=3D"mailto:sunset4@ietf.org" class=3D"gmail_msg" target=3D"_blank">s=
> unset4@ietf.org</a><br class=3D"gmail_msg">
> <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4" rel=3D"noreferrer=
> " class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listin=
> fo/sunset4</a><br class=3D"gmail_msg">
> </blockquote></div></div>
> 
> --f403045f4faec156e8054920dd00--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email