Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
神明達哉 <jinmei@wide.ad.jp> Fri, 07 December 2018 19:34 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C75FB130E96 for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:34:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.67
X-Spam-Level:
X-Spam-Status: No, score=-0.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwvhlfmQ6rez for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:34:49 -0800 (PST)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5401200D7 for <v6ops@ietf.org>; Fri, 7 Dec 2018 11:34:48 -0800 (PST)
Received: by mail-wr1-f44.google.com with SMTP id l9so4798844wrt.13 for <v6ops@ietf.org>; Fri, 07 Dec 2018 11:34:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/u6S2afcfDWLmF0lQwgyv5FM+jDftk9BHAJBmxyXLUQ=; b=QJHesjNx5pO28gPjSlPGfqzSfNp4ZLhUqNcXgthtjgvjBzK1lEH+eNwYgt0zyhdoIu 8uPSqGhNGYakQ5BLUV89c1k0DKlGV4F/wyhMVqW3VnEV+acGG/xwn07ky7jcBzJcb5JZ 4JxrT/47vRy18C/C2MBmFI+Cr2XGSgSjYXxkGgS4kn+c+N27MSuzpb6mDpbZHjRiZ/w/ WEbInek6O1vhSJ7s3ulYC0z7R2NdqIwcseFNMX8rrQ1ofP6NBjAXnzvaeS5dW3B9qpd7 02+Y2Yt0gu+Bv/2nwXSf6x5tFkWW7HwQFTchgzsZi4joVSSTUrQE0w18VLGbGluDSMol rwPg==
X-Gm-Message-State: AA+aEWY+LUlwUBquhj1OwJ9Kcb4XGwjVcLs7yr8t+wQx/dC/90Nm9bRi xzqSdQQA6KYqjVwayOoWfROJaJVVrkZQLgFjzJ4=
X-Google-Smtp-Source: AFSGD/VjzW7zyyTpen0GsnfXalITqfTpBdjRW96SaCd9BZ5vqQBEbQwOjUqNQervJ2SenxbVoegSk6p1PFImWB+sEAw=
X-Received: by 2002:adf:f703:: with SMTP id r3mr2823981wrp.93.1544211286662; Fri, 07 Dec 2018 11:34:46 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
In-Reply-To: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 07 Dec 2018 11:34:34 -0800
Message-ID: <CAJE_bqdT16yxhds5PxNmMDHKB=HOMJF9uQcBiOazHmnUGMjwgA@mail.gmail.com>
To: Ronald Bonica <rbonica@juniper.net>
Cc: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000332017057c73b5fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/808U4KxTMV5yKiPPwjl1kgZdV6Y>
Subject: Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 19:34:51 -0000
At Mon, 3 Dec 2018 16:56:51 +0000, Ron Bonica <rbonica@juniper.net> wrote: > Each week between now and IETF 104, we will review and discuss one draft with an eye towards progressing it. > > This week, please review and comment on draft-bp-v6ops-ipv6-ready-dns-dnssec. I've read draft-bp-v6ops-ipv6-ready-dns-dnssec-00. While the motivation is laudable, I have to say I'm skeptical about its effectiveness if one main audience is "the IPv4 laggards". Just as it may be "unfair" that an IPv6-only service provider needs to handle A-only DNSSEC signed zones, it would be "unfair" for these "laggards" that they are required to deploy IPv6 services and publish corresponding AAAAs when they only need (for whatever reasons) IPv4-only services. I suspect referring to RFC6540 doesn't help for those people. On a related note, there's one thing I'm not sure from the draft: whether "requiring AAAA" also means "requiring to provide the corresponding service over IPv6" (here I assume the existence of such a service; that should normally be the case in practice). In the previous paragraph I assumed the draft requires this too, but if it only means some AAAA that is correctly signed but the address doesn't have to be accessible over IPv6, then it might be more acceptable for lazy "laggards". Ideally such an unreachable IPv6 address should cause an immediate failure when an IPv6 node tries to send a packet to it, but some smartness like HE may be good enough to handle cases where those IPv6 addresses create a blackhole. If that's the intent of the draft, I'd suggest making it clearer, possibly with suggesting some specific IPv6 addresses (maybe ::?) to be used for this purpose. This draft seems to also talk about providing IPv6 reachability to name servers (which is irrelevant to providing DNSSEC-signed AAAA). For example Section 6 states: In the context of this document, and others that may be generated as a consequence of it, "IPv6-Ready DNS/DNSSEC Infrastructure" means that a DNS/DNSSEC server (root, TLD, authoritative NS, others) is fully accessible and operational if queried either from a remote dual-stack network or an IPv6-only network. Is my understanding correct? If so, I suspect it's more likely to be just ignored by the "laggards" for the same reason as that I mentioned above. And, in any case, I personally think it's better if this document focuses on the issue of interaction between DNSSEC and DNS64. If my understanding of this part is incorrect, then it's not clear to me what it means and I'd suggest rewriting it. -- JINMEI, Tatuya
- [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Ron Bonica
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lencse Gábor
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec 神明達哉
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Brian E Carpenter
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec 神明達哉
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lee Howard
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lencse Gábor