[v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI Preference
Tobias Fiebig <tobias@fiebig.nl> Sun, 05 November 2023 09:55 UTC
Return-Path: <tobias@fiebig.nl>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320E3C1CAFE6; Sun, 5 Nov 2023 01:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvBgtloUvz0i; Sun, 5 Nov 2023 01:55:52 -0800 (PST)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2179AC187710; Sun, 5 Nov 2023 01:55:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1699178145; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fVWBlyU5PGgwbJhoeKXmJBHR6KUG/aTxsxXFXusUw9I=; b=t1QGlWyy2latpQGGrWGGIgGRI0F0ZLa3D90iygam0uCjZs7il0XHogRjEJoADOcwBUdUqq 0ELgaWal16rHGHv/8HHGT7s2uLbhXrlL7TmPDUEbYTaPEkQXbvXGWK8HIXz+8/EwByB1ca d8Sgcw1u361X1zAhza0QDTL+TQFHQPOAxKY7Bg7VoXcOPFVXtIj2oqySkvrvpnySrwacOx V1Jr0unGAJ4Ed2mjr8qgOnoj+T88hAaWqNKq8pp8CPSD8vIwb6bag/R9p1XTj9Cx9/Fsu+ 090N1o0+HlmICYqCpgBiGSLDFyrurE3x+EPDFwzV7vU46EVJSvNrCoO6nqXntQ==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id 9b3a4f7c (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=tobias@aperture-labs.org; Sun, 5 Nov 2023 09:55:45 +0000 (UTC)
Message-ID: <11d936bdc519e6fcce23ef02ff3469b5831943f3.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
Reply-To: tobias@fiebig.nl
To: v6ops@ietf.org
Cc: dnsop <dnsop@ietf.org>, "momoka.my6" <momoka.my6@gmail.com>
Date: Sun, 05 Nov 2023 10:55:40 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/4lwr-JvjBMaCQ38Tm6Ogfasxs_o>
Subject: [v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI Preference
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 09:55:57 -0000
Moin,
during the hackathon i gave setting up Unbound 1.18.0 (which implements
the draft already [1]) a shot with Momoka (2a06:d1c7:: if anyone wants
to try; Some ratelimiting present), and we also replayed a couple of DS
zones to resolve the question if 'prefer-ip6: yes' should be set [2].
The observation is that unbound in the current implementation actually
does do happy eyeballs with nat64, i.e., without 'prefer-ip6: yes'
there are indeed queries for v6 capable authoritative servers handled
via nat64 instead of via native IPv6.
I think this opens an interesting can of worms; RFC8305 in not really
(BCP14 level) clear on the matter (other than indicated in [3]); This
is essentially for cases where a client wants to connect to a v4
literal and SHOULD then perform translation; The AUTHNS part does not
use authoritative language.
However, the issue with Unbound (I'd argue) is that the part that does
the HE decision is independent of the part that then does nat64, i.e.,
the HE part assumes v4 connectivity, and does normal HE; However, v6
should be preferred as v6 will not have to go through a transition
mechanism; I see some perspectives on this that could range this in the
area of 'implementation case' though.
All being said, i personally see three options for handling this:
- Accept that NAT64 (also with literals) with HE and DS may lead to
hosts being contacted via a transition technique even though a
native AFI path is available.
- Put a SHOULD/SUGGESTED into draft-ietf-v6ops-ipv6-only-resolver to
only use this with 'prefer-ip6: yes' (or similar depending on the
implementation.
- Think about touching RFC8305; _Technically_ the point above is
already in RFC8305:
"If a DNS server is configured to be accessible over IPv6, IPv6
should be assumed to be the preferred address family."
So, technically, making that should <bcp14>SHOULD</bcp14> would
essentially solve the point above.
Going a bit further, Sec. 7 could be amended to explicitly state that
in cases where NAT64/Other TT are used, IPv6 SHOULD be preferred...
but writing this feels like something far to likely of having
overlooked far too many corner cases and earlier discussions.
With best regards,
Tobias
[1]
https://github.com/NLnetLabs/unbound/pull/722
[2]
https://github.com/NLnetLabs/unbound/pull/722#issuecomment-1497488164
[3]
https://github.com/NLnetLabs/unbound/pull/722#issuecomment-1497823690
--
Dr.-Ing. Tobias Fiebig
T +31 616 80 98 99
M tobias@fiebig.nl
- [v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI P… Tobias Fiebig