[v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI Preference
Tobias Fiebig <tobias@fiebig.nl> Sun, 05 November 2023 09:55 UTC
Return-Path: <tobias@fiebig.nl>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320E3C1CAFE6; Sun, 5 Nov 2023 01:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvBgtloUvz0i; Sun, 5 Nov 2023 01:55:52 -0800 (PST)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2179AC187710; Sun, 5 Nov 2023 01:55:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1699178145; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=fVWBlyU5PGgwbJhoeKXmJBHR6KUG/aTxsxXFXusUw9I=; b=t1QGlWyy2latpQGGrWGGIgGRI0F0ZLa3D90iygam0uCjZs7il0XHogRjEJoADOcwBUdUqq 0ELgaWal16rHGHv/8HHGT7s2uLbhXrlL7TmPDUEbYTaPEkQXbvXGWK8HIXz+8/EwByB1ca d8Sgcw1u361X1zAhza0QDTL+TQFHQPOAxKY7Bg7VoXcOPFVXtIj2oqySkvrvpnySrwacOx V1Jr0unGAJ4Ed2mjr8qgOnoj+T88hAaWqNKq8pp8CPSD8vIwb6bag/R9p1XTj9Cx9/Fsu+ 090N1o0+HlmICYqCpgBiGSLDFyrurE3x+EPDFwzV7vU46EVJSvNrCoO6nqXntQ==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id 9b3a4f7c (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=tobias@aperture-labs.org; Sun, 5 Nov 2023 09:55:45 +0000 (UTC)
Message-ID: <11d936bdc519e6fcce23ef02ff3469b5831943f3.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
Reply-To: tobias@fiebig.nl
To: v6ops@ietf.org
Cc: dnsop <dnsop@ietf.org>, "momoka.my6" <momoka.my6@gmail.com>
Date: Sun, 05 Nov 2023 10:55:40 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/4lwr-JvjBMaCQ38Tm6Ogfasxs_o>
Subject: [v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI Preference
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 09:55:57 -0000
Moin, during the hackathon i gave setting up Unbound 1.18.0 (which implements the draft already [1]) a shot with Momoka (2a06:d1c7:: if anyone wants to try; Some ratelimiting present), and we also replayed a couple of DS zones to resolve the question if 'prefer-ip6: yes' should be set [2]. The observation is that unbound in the current implementation actually does do happy eyeballs with nat64, i.e., without 'prefer-ip6: yes' there are indeed queries for v6 capable authoritative servers handled via nat64 instead of via native IPv6. I think this opens an interesting can of worms; RFC8305 in not really (BCP14 level) clear on the matter (other than indicated in [3]); This is essentially for cases where a client wants to connect to a v4 literal and SHOULD then perform translation; The AUTHNS part does not use authoritative language. However, the issue with Unbound (I'd argue) is that the part that does the HE decision is independent of the part that then does nat64, i.e., the HE part assumes v4 connectivity, and does normal HE; However, v6 should be preferred as v6 will not have to go through a transition mechanism; I see some perspectives on this that could range this in the area of 'implementation case' though. All being said, i personally see three options for handling this: - Accept that NAT64 (also with literals) with HE and DS may lead to hosts being contacted via a transition technique even though a native AFI path is available. - Put a SHOULD/SUGGESTED into draft-ietf-v6ops-ipv6-only-resolver to only use this with 'prefer-ip6: yes' (or similar depending on the implementation. - Think about touching RFC8305; _Technically_ the point above is already in RFC8305: "If a DNS server is configured to be accessible over IPv6, IPv6 should be assumed to be the preferred address family." So, technically, making that should <bcp14>SHOULD</bcp14> would essentially solve the point above. Going a bit further, Sec. 7 could be amended to explicitly state that in cases where NAT64/Other TT are used, IPv6 SHOULD be preferred... but writing this feels like something far to likely of having overlooked far too many corner cases and earlier discussions. With best regards, Tobias [1] https://github.com/NLnetLabs/unbound/pull/722 [2] https://github.com/NLnetLabs/unbound/pull/722#issuecomment-1497488164 [3] https://github.com/NLnetLabs/unbound/pull/722#issuecomment-1497823690 -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl
- [v6ops] draft-ietf-v6ops-ipv6-only-resolver AFI P… Tobias Fiebig