IETF Logo Mail Archive

Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01

"stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com> Thu, 29 June 2017 04:52 UTC

Return-Path: <stephan.lagerholm@yahoo.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95E312704A for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 21:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.956
X-Spam-Level:
X-Spam-Status: No, score=0.956 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, REPTO_QUOTE_YAHOO=0.646, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wqV0asJOonrK for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 21:52:50 -0700 (PDT)
Received: from sonic328-12.consmr.mail.ne1.yahoo.com (sonic328-12.consmr.mail.ne1.yahoo.com [66.163.191.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D796612025C for <v6ops@ietf.org>; Wed, 28 Jun 2017 21:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1498711968; bh=FjqulToIAZmWkLhtZdAYzRMfyUQqulQUhiQjjw4gju4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=R/EGRxeFU7AbcdIAciqVk9ngn66I5gSN2LENvMkOFr70/4gzngCbiSOE2RrvSj4WNOKmtpBy3nFKjoRWBUZ0m5kSnzAq9cph3Kk/IVFNRYg34Zcs2VXHW/RmEoZ0Q2KdGFHUZmjMfzAd1QthlXUW0KBXpxCMsj2DHFOSUsZdhMDC518DOc8j9hU8qgMeNDwStytGfJkt92zlGGh6qpVdL14ibJ5b/GLbdw813+ZcO5ws67Ft2ASDG0U57bWbO0DYGREE2GUeZ6k9eu4Ma1Ry0ooKP2Vqb2G77n2HeDZO3FSl4FMEFS+Cz8AuvHpgisrTzhnMfBLb+YcwvebNMuswjw==
X-YMail-OSG: rZC7OW0VM1kvLqWblh9om0VXyzr6FQoOii8NEbJNGGJ8DKuSI5Egt8bQuCEo9i6 fePeD3TolugohwZpPv6C3J.7Xdw328QI1od5HgMGduOg0WR9TtKd5BJP.FyR2dPm4XUIKrCgWI1q MuTJATo5UOdei3ZQf6UQHe7XE.RiSXyt6oPpdOmeOBIVfDIkZ.9auB3cuS_kChsekmNH0E6rEetX FuOo0na9TnkFGVv3ZAsY6rpTGPTg4w9Y_h20RptiwidY3nIbi8vN9VxoAeT7Ex9bQQPhx.LAvAha 7nL5j8_UoAUA7xuDp8aO7eO78ejpaSlWslXQIiQUyITT4MU02z5L5Jyfszz5IKK5nJFSsgQIUcNK A_ISbaUOSWj7E9e7Z4g.WqHQR3G0ImLzmU1o_9BxBUZ1c2IFLJlZA.k3MUm.qKMzI9gxs0UvGjLP u2Cdj.zU5TZLgDpe8nFIBOziDm2vBrnQQ7a0QeE2fSBjdwcjBIieul8D_KpwWVBOEI6R7IHxIx.2 srFXgMrE8n61V6r9SXhLtZPIzRJOpG4JX5W8FWs53LoRD7NCI5TpCQfbLkOhjkGaRR_ML7OvgmJ7 0
Received: from sonic.gate.mail.ne1.yahoo.com by sonic328.consmr.mail.ne1.yahoo.com with HTTP; Thu, 29 Jun 2017 04:52:48 +0000
Date: Thu, 29 Jun 2017 04:52:47 +0000
From: "stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com>
Reply-To: "stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com>
To: Mark Andrews <marka@isc.org>
Cc: IPv6 Ops WG <v6ops@ietf.org>, "dschinazi@apple.com" <dschinazi@apple.com>
Message-ID: <901072900.951551.1498711968004@mail.yahoo.com>
In-Reply-To: <47F7A2D8-9516-4E25-A673-40D6293B7CE7@isc.org>
References: <149670589074.3841.10812713591494006570@ietfa.amsl.com> <C22244D7-ABF6-430B-8155-8D4C1C1382DF@apple.com> <FA0D06E7-47F9-4029-81D4-2D96BFDD5576@consulintel.es> <65F3C8F4-6533-4C15-83F9-64AFC0EFFA79@apple.com> <4AC6726C-142E-48E5-95CF-2C3AD3331441@consulintel.es> <738488839.469942.1498664001646@mail.yahoo.com> <20170628220025.4FA447CB2073@rock.dv.isc.org> <280023835.899017.1498705302254@mail.yahoo.com> <47F7A2D8-9516-4E25-A673-40D6293B7CE7@isc.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_951549_2141093257.1498711968002"
X-Mailer: WebService/1.1.9978 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/5L2sxpXZZVP1GRARV6oxOQwKdDo>
Subject: Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 04:52:54 -0000

Hi Mark,
>        Mark Andrews <marka@isc.org> 
>
>> On 29 Jun 2017, at 1:01 pm, stephan.lagerholm@yahoo.com wrote:
>>
>> Hi Mark,
>>
>> >From: Mark Andrews <marka@isc.org>
>> >> In message <738488839.469942.1498664001646@mail.yahoo.com>, "stephan.lagerholm@yahoo.com" writes:
>> >> Hi David,
>> >> Thanks for adding the Supporting IPv6-only Networks with NAT64 and DNS64
>> >> section, I find it useful. However I don't think the below sentence from
>> >> this section is accurate. I can't think of any changes that are needed on
>> >> a client device to run NAT64/DNS64.
>> >
>> >Well you obviously don't have any devices doing DNSSEC validation.
>> >DNS64 breaks DNSSEC as it changes the DNS responses from NOERROR
>> >NODATA to NOERROR DATA by synthesizing a AAAA RRset.  This from the
>> >client's perspective is not different than forging a fake AAAA RRset
>> >that is trying to hijack the traffic stream.
>>
>> This case and the remedy is already covered in RFC 6147 section 3. I don't think it makes sense to bring it up in this draft.
>
>RFC 6147 states that end devices need to be upgraded.  Yes
>this is in contradiction to itself where it states that they don’t need
>to be upgraded.
>
>Section 5.5.
>
>      The disadvantage to this approach is that an end point that is
>      translation-oblivious but security-aware and validating will not
>      be able to use the DNS64 functionality.  In this case, the end
>      point will not have the desired benefit of NAT64.  In effect,
>      this strategy means that any end point that wishes to do
>      validation in a NAT64 context must be upgraded to be
>      translation-aware as well.
>
>Then you have 5.5.3, turn a DNSSEC MUST NOT into a MAY
>and in doing so completely defeating the purpose of the “MUST NOT”
>on CD=1 which is to get answers which are incorrectly being rejected
>by the upstream validating resolver.
>
>      "then vDNS64 MAY perform validation,”
>
>Then you have changes to the purpose of CD which don’t work
>with TTL=0 answers.
>
>The whole IETF seems to think that DNS64/NAT64 works well.  It
>doesn’t when you need to use the protections that DNSSEC
>provides.  It works ok if everything else is correctly configured and
>there are no active attacks on the recursive DNS servers happening.

I agree that it does not work well if you validate on the stub resolver side. I can imagine that you could do an RFC7050 query within your validator, strip the pref64 and then validate the A record. I still think it should be outside the scope of this draft to tackle DNSSEC related issues when using DNS64. It is not going to add any clarity to Happy Eyeballs to have text around DNSSEC related issues that remains unchanged with or without this draft being implemented. I'm happy to work on an rfc6174bis with you. 

/Stephan

v2.23.0 | Report a Bug | By Email