Re: [v6ops] FW: New Version Notification for draft-palet-v6ops-464xlat-deployment-00.txt
Mark Andrews <marka@isc.org> Fri, 13 October 2017 00:40 UTC
Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 307CB132930 for <v6ops@ietfa.amsl.com>; Thu, 12 Oct 2017 17:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oAjep34LvXN for <v6ops@ietfa.amsl.com>; Thu, 12 Oct 2017 17:40:15 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878A213232C for <v6ops@ietf.org>; Thu, 12 Oct 2017 17:40:15 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D35503AC88C; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A453516005B; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 93F31160085; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6sGUnBvwNIYU; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 11A4116005B; Fri, 13 Oct 2017 00:40:11 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D13338AD1CED; Fri, 13 Oct 2017 11:40:07 +1100 (AEDT)
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>, IPv6 Ops WG <v6ops@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <150755581666.18336.7914755965262691836.idtracker@ietfa.amsl.com> <CB970DA1-7E14-4E38-8FE1-535108518819@consulintel.es> <CAD6AjGQJXFOEysWbDRM3JZwy2JKquxzpTTDy5_XbOm7-Db7xjg@mail.gmail.com> <alpine.DEB.2.20.1710091711380.31961@uplift.swm.pp.se> <D4D1D13A-6B68-4FF8-BF11-922813CC7F6E@consulintel.es> <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>
In-reply-to: Your message of "Tue, 10 Oct 2017 11:50:50 +0200." <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>
Date: Fri, 13 Oct 2017 11:40:07 +1100
Message-Id: <20171013004007.D13338AD1CED@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/2eLtp904y6OXOVZfthPdTQ2vuSI>
Subject: Re: [v6ops] FW: New Version Notification for draft-palet-v6ops-464xlat-deployment-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 00:40:17 -0000
In message <alpine.DEB.2.20.1710101137120.31961@uplift.swm.pp.se>, Mikael Abrah amsson writes: > On Tue, 10 Oct 2017, JORDI PALET MARTINEZ wrote: > > > Hi Mikael, > > > > So, in your opinion, if I understand it correctly: > > 1) DNSSEC must not be ignored > > 2) DNS64 should be supported > > Correct. Don't know exactly how to do that, but that's what I'd like to > see. > > > Could you agree in a document that describes different deployment models su > pporting or not 1, 2, above? > > I'm just speculating/brainstorming here... but let me write some text and > see what people think: > > 1. A DNS64 resolver should do DNSSEC validation before synthesis. > > 2. A device behind DNS64 that intends to do DNSSEC validataion should > identify the NAT64 prefix via the standard means, and then it should (if > DNSSEC validation fails on AAAA question) do DNSSEC validation of A record > and perform its own DNS64 function (if the AAAA answer that failed DNSSEC > validation fell within the discovered NAT64 prefix). > > I wasn't there during the DNS64 work, I don't know if these things were > discussed and rejected for good reasons but... Have at me. Behave failed to listen to the fact that there is NO WAY TO TELL IF A CLIENT IS VALIDATING RESPONSES. It decided that CD=0 meant not validating which is NOT the case. This is what the DNSSEC flag bits mean DO=0 Not validating DO=1 CD=0 May be validating (DNS64 says not validating) (These are the type of queries many validating client issue by default) DO=1 CD=1 May be validating, do not validate responses to any request you make to resolve this query, just include them in your response. (DNS64 says is validating) Both DO=1 CD=0 and DO=1 CD=1 queries need to be sent by validating clients to get answers through a validating recursive server. DO=1 CD=0 allow the recursive server to reject spoofed or otherwise bad responses to queries it makes on the clients behalf and retry. DO=1 CD=1 allow the responses to get through a recusive server with bad trust anchors or a bad clock. Just sending DO=1 CD=1 means that there is no reject or retry and no control over which authoritative servers are queries. Multiple authoritative servers are tries with DO=1 CD=0 queries on the clients behalf. DO=1 CD=1 are NOT REQUIRED to be validated and are not cached unless they have been validated as secure or insecure. They MUST NOT be returned to DO=1 CD=0 or DO=0 queries without being validated. If all the servers are correctly configured and there is no spoofing happening it doesn't matter if you send DO=1 CD=0 or DO=1 CD=1 when you are validating you will get a response that will validate as secure / insecure. What you send when this is not the case however is critical. This was pointed out numerous times but behave went ahead and wrote a specification that DOES NOT WORK and cannot be made to work (it is mathematically impossible to do) and due to rough consensus it was passed. The "crazy DNSSEC guy" was not listened too. Mark > -- > Mikael Abrahamsson email: swmike@swm.pp.se > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [v6ops] FW: New Version Notification for draf… Ca By
- [v6ops] FW: New Version Notification for draft-pa… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… Ca By
- Re: [v6ops] FW: New Version Notification for draf… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… Mikael Abrahamsson
- Re: [v6ops] FW: New Version Notification for draf… Ca By
- Re: [v6ops] FW: New Version Notification for draf… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… Mikael Abrahamsson
- Re: [v6ops] FW: New Version Notification for draf… Ole Troan
- Re: [v6ops] FW: New Version Notification for draf… Erik Kline
- Re: [v6ops] FW: New Version Notification for draf… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… Ole Troan
- Re: [v6ops] FW: New Version Notification for draf… JORDI PALET MARTINEZ
- Re: [v6ops] FW: New Version Notification for draf… Mark Andrews
- Re: [v6ops] FW: New Version Notification for draf… Czerwonka Michał 1 - Hurt
- Re: [v6ops] New Version Notification for draft-pa… james woodyatt
- Re: [v6ops] New Version Notification for draft-pa… JORDI PALET MARTINEZ
- Re: [v6ops] New Version Notification for draft-pa… james woodyatt
- Re: [v6ops] New Version Notification for draft-pa… Paul Marks
- Re: [v6ops] FW: New Version Notification for draf… Mark Andrews
- Re: [v6ops] New Version Notification for draft-pa… james woodyatt
- Re: [v6ops] New Version Notification for draft-pa… Heatley,N,Nick,TQB R