IETF Logo Mail Archive

Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec

神明達哉 <jinmei@wide.ad.jp> Fri, 07 December 2018 19:34 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C75FB130E96 for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:34:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.67
X-Spam-Level:
X-Spam-Status: No, score=-0.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwvhlfmQ6rez for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:34:49 -0800 (PST)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5401200D7 for <v6ops@ietf.org>; Fri, 7 Dec 2018 11:34:48 -0800 (PST)
Received: by mail-wr1-f44.google.com with SMTP id l9so4798844wrt.13 for <v6ops@ietf.org>; Fri, 07 Dec 2018 11:34:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/u6S2afcfDWLmF0lQwgyv5FM+jDftk9BHAJBmxyXLUQ=; b=QJHesjNx5pO28gPjSlPGfqzSfNp4ZLhUqNcXgthtjgvjBzK1lEH+eNwYgt0zyhdoIu 8uPSqGhNGYakQ5BLUV89c1k0DKlGV4F/wyhMVqW3VnEV+acGG/xwn07ky7jcBzJcb5JZ 4JxrT/47vRy18C/C2MBmFI+Cr2XGSgSjYXxkGgS4kn+c+N27MSuzpb6mDpbZHjRiZ/w/ WEbInek6O1vhSJ7s3ulYC0z7R2NdqIwcseFNMX8rrQ1ofP6NBjAXnzvaeS5dW3B9qpd7 02+Y2Yt0gu+Bv/2nwXSf6x5tFkWW7HwQFTchgzsZi4joVSSTUrQE0w18VLGbGluDSMol rwPg==
X-Gm-Message-State: AA+aEWY+LUlwUBquhj1OwJ9Kcb4XGwjVcLs7yr8t+wQx/dC/90Nm9bRi xzqSdQQA6KYqjVwayOoWfROJaJVVrkZQLgFjzJ4=
X-Google-Smtp-Source: AFSGD/VjzW7zyyTpen0GsnfXalITqfTpBdjRW96SaCd9BZ5vqQBEbQwOjUqNQervJ2SenxbVoegSk6p1PFImWB+sEAw=
X-Received: by 2002:adf:f703:: with SMTP id r3mr2823981wrp.93.1544211286662; Fri, 07 Dec 2018 11:34:46 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 07 Dec 2018 11:34:34 -0800
Message-ID: <CAJE_bqdT16yxhds5PxNmMDHKB=HOMJF9uQcBiOazHmnUGMjwgA@mail.gmail.com>
To: Ronald Bonica <rbonica@juniper.net>
Cc: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000332017057c73b5fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/808U4KxTMV5yKiPPwjl1kgZdV6Y>
Subject: Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 19:34:51 -0000

At Mon, 3 Dec 2018 16:56:51 +0000,
Ron Bonica <rbonica@juniper.net> wrote:

> Each week between now and IETF 104, we will review and discuss one draft
with an eye towards progressing it.
>
> This week, please review and comment on
draft-bp-v6ops-ipv6-ready-dns-dnssec.

I've read draft-bp-v6ops-ipv6-ready-dns-dnssec-00.

While the motivation is laudable, I have to say I'm skeptical about
its effectiveness if one main audience is "the IPv4 laggards".  Just
as it may be "unfair" that an IPv6-only service provider needs to
handle A-only DNSSEC signed zones, it would be "unfair" for these
"laggards" that they are required to deploy IPv6 services and publish
corresponding AAAAs when they only need (for whatever reasons)
IPv4-only services.  I suspect referring to RFC6540 doesn't help for
those people.

On a related note, there's one thing I'm not sure from the draft:
whether "requiring AAAA" also means "requiring to provide the
corresponding service over IPv6" (here I assume the existence of such
a service; that should normally be the case in practice).  In the
previous paragraph I assumed the draft requires this too, but if it
only means some AAAA that is correctly signed but the address doesn't
have to be accessible over IPv6, then it might be more acceptable for
lazy "laggards".  Ideally such an unreachable IPv6 address should
cause an immediate failure when an IPv6 node tries to send a packet to
it, but some smartness like HE may be good enough to handle cases
where those IPv6 addresses create a blackhole.  If that's the intent
of the draft, I'd suggest making it clearer, possibly with suggesting
some specific IPv6 addresses (maybe ::?) to be used for this purpose.

This draft seems to also talk about providing IPv6 reachability to
name servers (which is irrelevant to providing DNSSEC-signed AAAA).
For example Section 6 states:

   In the context of this document, and others that may be generated as
   a consequence of it, "IPv6-Ready DNS/DNSSEC Infrastructure" means
   that a DNS/DNSSEC server (root, TLD, authoritative NS, others) is
   fully accessible and operational if queried either from a remote
   dual-stack network or an IPv6-only network.

Is my understanding correct?  If so, I suspect it's more likely to be
just ignored by the "laggards" for the same reason as that I mentioned
above.  And, in any case, I personally think it's better if this
document focuses on the issue of interaction between DNSSEC and
DNS64.  If my understanding of this part is incorrect, then it's not
clear to me what it means and I'd suggest rewriting it.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email