IETF Logo Mail Archive

Re: [v6ops] FW: New Version Notification for draft-palet-v6ops-464xlat-deployment-00.txt

Mark Andrews <marka@isc.org> Fri, 13 October 2017 00:40 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 307CB132930 for <v6ops@ietfa.amsl.com>; Thu, 12 Oct 2017 17:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oAjep34LvXN for <v6ops@ietfa.amsl.com>; Thu, 12 Oct 2017 17:40:15 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878A213232C for <v6ops@ietf.org>; Thu, 12 Oct 2017 17:40:15 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D35503AC88C; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A453516005B; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 93F31160085; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6sGUnBvwNIYU; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 11A4116005B; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D13338AD1CED; Fri, 13 Oct 2017 11:40:07 +1100 (AEDT)
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>, IPv6 Ops WG <v6ops@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <150755581666.18336.7914755965262691836.idtracker@ietfa.amsl.com> <CB970DA1-7E14-4E38-8FE1-535108518819@consulintel.es> <CAD6AjGQJXFOEysWbDRM3JZwy2JKquxzpTTDy5_XbOm7-Db7xjg@mail.gmail.com> <alpine.DEB.2.20.1710091711380.31961@uplift.swm.pp.se> <D4D1D13A-6B68-4FF8-BF11-922813CC7F6E@consulintel.es> <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>
In-reply-to: Your message of "Tue, 10 Oct 2017 11:50:50 +0200." <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>
Date: Fri, 13 Oct 2017 11:40:07 +1100
Message-Id: <20171013004007.D13338AD1CED@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/2eLtp904y6OXOVZfthPdTQ2vuSI>
Subject: Re: [v6ops] FW: New Version Notification for draft-palet-v6ops-464xlat-deployment-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 00:40:17 -0000

In message <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>, Mikael Abrah
amsson writes:
> On Tue, 10 Oct 2017, JORDI PALET MARTINEZ wrote:
> 
> > Hi Mikael,
> >
> > So, in your opinion, if I understand it correctly:
> > 1) DNSSEC must not be ignored
> > 2) DNS64 should be supported
> 
> Correct. Don't know exactly how to do that, but that's what I'd like to 
> see.
> 
> > Could you agree in a document that describes different deployment models su
> pporting or not 1, 2, above?
> 
> I'm just speculating/brainstorming here... but let me write some text and 
> see what people think:
> 
> 1. A DNS64 resolver should do DNSSEC validation before synthesis.
> 
> 2. A device behind DNS64 that intends to do DNSSEC validataion should 
> identify the NAT64 prefix via the standard means, and then it should (if 
> DNSSEC validation fails on AAAA question) do DNSSEC validation of A record 
> and perform its own DNS64 function (if the AAAA answer that failed DNSSEC 
> validation fell within the discovered NAT64 prefix).
> 
> I wasn't there during the DNS64 work, I don't know if these things were 
> discussed and rejected for good reasons but... Have at me.

Behave failed to listen to the fact that there is NO WAY TO TELL
IF A CLIENT IS VALIDATING RESPONSES.  It decided that CD=0 meant
not validating which is NOT the case.

This is what the DNSSEC flag bits mean

	DO=0		Not validating

	DO=1 CD=0	May be validating  (DNS64 says not validating)
			(These are the type of queries many validating
			client issue by default)

	DO=1 CD=1	May be validating, do not validate responses to
			any request you make to resolve this query, just
			include them in your response.
			(DNS64 says is validating)

Both DO=1 CD=0 and DO=1 CD=1 queries need to be sent by validating
clients to get answers through a validating recursive server. DO=1
CD=0 allow the recursive server to reject spoofed or otherwise bad
responses to queries it makes on the clients behalf and retry.  DO=1
CD=1 allow the responses to get through a recusive server with bad
trust anchors or a bad clock.

Just sending DO=1 CD=1 means that there is no reject or retry and
no control over which authoritative servers are queries.  Multiple
authoritative servers are tries with DO=1 CD=0 queries on the clients
behalf.  DO=1 CD=1 are NOT REQUIRED to be validated and are not
cached unless they have been validated as secure or insecure.  They
MUST NOT be returned to DO=1 CD=0 or DO=0 queries without being
validated.

If all the servers are correctly configured and there is no spoofing
happening it doesn't matter if you send DO=1 CD=0 or DO=1 CD=1 when
you are validating you will get a response that will validate as
secure / insecure.  What you send when this is not the case however
is critical.

This was pointed out numerous times but behave went ahead and wrote
a specification that DOES NOT WORK and cannot be made to work (it
is mathematically impossible to do) and due to rough consensus it
was passed.  The "crazy DNSSEC guy" was not listened too.

Mark

> -- 
> Mikael Abrahamsson    email: swmike@swm.pp.se
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email