Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC
Mark Andrews <marka@isc.org> Thu, 23 February 2012 20:51 UTC
Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151F821F88A6 for <v6ops@ietfa.amsl.com>; Thu, 23 Feb 2012 12:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.558
X-Spam-Level: ***
X-Spam-Status: No, score=3.558 tagged_above=-999 required=5 tests=[AWL=-6.043, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_15=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_45=0.6, MANGLED_DOMAIN=2.3, MANGLED_EFFEX=2.3, MANGLED_MEDS=2.3, MANGLED_PLEASE=2.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfNLRMoKNdfz for <v6ops@ietfa.amsl.com>; Thu, 23 Feb 2012 12:51:29 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 28DB321F87C3 for <v6ops@ietf.org>; Thu, 23 Feb 2012 12:51:14 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id D7BA75F98B9; Thu, 23 Feb 2012 20:50:49 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:968:e107:e473:6b83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 979E9216C36; Thu, 23 Feb 2012 20:50:46 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 0D1841DC357A; Fri, 24 Feb 2012 07:50:43 +1100 (EST)
To: Ronald Bonica <rbonica@juniper.net>
From: Mark Andrews <marka@isc.org>
References: <00e401ccf143$303934a0$90ab9de0$@lampo@eurid.eu> <CB6BA2F9.5161B%jason_livingood@cable.comcast.com> <13205C286662DE4387D9AF3AC30EF456D7674BFE2D@EMBX01-WF.jnpr.net>
In-reply-to: Your message of "Thu, 23 Feb 2012 10:22:10 CDT." <13205C286662DE4387D9AF3AC30EF456D7674BFE2D@EMBX01-WF.jnpr.net>
Date: Fri, 24 Feb 2012 07:50:42 +1100
Message-Id: <20120223205043.0D1841DC357A@drugs.dv.isc.org>
Cc: Marc Lampo <marc.lampo@eurid.eu>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 20:51:34 -0000
So even though an authoritative DNS server will
selectively return AAAA resource records and/or A resource records,
these resource records must be signed, as well as any accompanying
NextSECure (NSEC) information that proves existence and/or not-
existence of AAAA resource records.
So even though an authoritative DNS server will
selectively return AAAA resource records or a non existance
response both types of response will be signed and will validate.
("non existance" covers both name error responses and NOERROR
no data responses depending apon the presence or absence of data
other than AAAA records at the name. Usually there will be at least
a A records so one would expect a NOERROR no data.)
In message <13205C286662DE4387D9AF3AC30EF456D7674BFE2D@EMBX01-WF.jnpr.net>, Ronald Bonica writes:
> --_000_13205C286662DE4387D9AF3AC30EF456D7674BFE2DEMBX01WFjnprn_
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> Folks,
>
> I will allow the dust to settle for another 24 hours and then send the draf=
> t on for publication.
>
> Ron
>
>
> From: Livingood, Jason [mailto:Jason_Livingood@cable.comcast.com]
> Sent: Thursday, February 23, 2012 8:07 AM
> To: Marc Lampo; Ronald Bonica; EXT - joelja@bogus.com; 'Mark Andrews'
> Cc: v6ops@ietf.org
> Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-impl=
> ications-08.txt> (Considerations for Transitioning Content to IPv6) to Info=
> rmational RFC
>
> On 2/22/12 4:20 AM, "Marc Lampo" <marc.lampo@eurid.eu<mailto:marc.lampo@eur=
> id.eu>> wrote:
> 2) regarding the previous sentence :
> "So even though an authoritative DNS server will selectively return
> AAAA resource records and/or A resource records, these resource records can=
> certainly still be signed."
>
> In this context - assuming we are talking about a signed domain with chain-=
> of-trust appropriately in place - I'd propose :
> "So even though an authoritative DNS server will selectively return
> AAAA resource records and/or A resource records, these resource records mus=
> t be signed, as well as any accompanying NextSecure information that proves=
> existence and/or not-existence of AAAA resource records."
>
> Great suggestion, thank you for suggesting actual text! Correction to that =
> sentence made and will publish momentarily in a -10.
>
> - Jason
>
>
>
> So :
> -> it's a *must*
> -> it's not only the A and/or AAAA RRs, but also the NSEC/NSEC3 RRs.
>
>
> Kind regards,
>
> Marc Lampo
> Security Officer
> EURid (for .eu)
>
>
> From: Livingood, Jason [mailto:Jason_Livingood@cable.comcast.com]
> Sent: 21 February 2012 08:55 PM
> To: Ronald Bonica; Marc Lampo; EXT - joelja@bogus.com<mailto:joelja@bogus.c=
> om>; Mark Andrews
> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> Subject: Re: [v6ops] Last Call:
> <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt>
> (Considerations for Transitioning Content to IPv6) to Informational RFC
>
> I made this addition in the relevant section (6.1). Let me know if it does
> not capture this sufficiently (or does so inelegantly).
>
> Thanks
> Jason
>
> In practical terms this means that two separate views or zones are used,
> each of which is signed, so that whether or not particular resource
> records exist, the existence or non-existence of the record can still be
> validated using DNSSEC.
>
>
>
>
> On 2/21/12 2:46 PM, "Livingood, Jason" <Jason_Livingood@cable.comcast.com<m=
> ailto:Jason_Livingood@cable.comcast.com>>
> wrote:
>
> Good idea and it is quick & easy edit. Making the change now. Will send
> text momentarily.
>
> Jason
>
> On 2/21/12 8:44 AM, "Ronald Bonica" <rbonica@juniper.net<mailto:rbonica@jun=
> iper.net>> wrote:
>
> Authors,
>
> What do you think?
>
> Ron
>
> -----Original Message-----
> From: Marc Lampo [mailto:marc.lampo@eurid.eu]
> Sent: Tuesday, February 21, 2012 2:03 AM
> To: Ronald Bonica; EXT - joelja@bogus.com<mailto:joelja@bogus.com>
> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> Subject: RE: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-
> implications-08.txt> (Considerations for Transitioning Content to IPv6)
> to Informational RFC
> Hello,
> I had assumed : 1 zone file (and Mark Andrews correctly pointed at
> "views").
> Would adding this piece of information, directly in the RFC,
> be useful to avoid confusion for future readers ?
> Thanks and kind regards,
> Marc Lampo
> -----Original Message-----
> From: Ronald Bonica [mailto:rbonica@juniper.net]
> Sent: 20 February 2012 11:55 PM
> To: EXT - joelja@bogus.com<mailto:joelja@bogus.com>; Marc Lampo
> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> Subject: RE: [v6ops] Last Call:
> <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt>
> (Considerations for Transitioning Content to IPv6) to Informational RFC
> Marc, Havard,
> Are you satisfied with the answers provided by Joel and Mark?
> Ron
> -----Original Message-----
> From: v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org> [mailto:v6ops-b=
> ounces@ietf.org] On
> Behalf
> Of EXT - joelja@bogus.com<mailto:joelja@bogus.com>
> Sent: Monday, February 20, 2012 4:58 PM
> To: Marc Lampo
> Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-
> whitelisting-
> implications-08.txt> (Considerations for Transitioning Content to
> IPv6)
> to Informational RFC
>
> On 2/20/12 06:32 , Marc Lampo wrote:
> > Hello,
> >
> > (sorry to be late with my comments, bit overloaded on my side)
> >
> > 6.1 Security Considerations - paragraph 2 (on DNSSEC)
> > The text states : "there should not be any negative impact on
> DNSSEC"
> > In my opinion, this is *wrong* :
> >
>
> IMHO the following applies.
>
> if you have one zone yeah I agree.
>
> If you have two zones one with aaaa and one without (assuming this is
> done with dns views style implementation) you can sign both and
> they'll
> both be valid and complete from the vantage point of a client which
> resolves one or the other of them but not both.
>
> this is a traditional split horizon problem. it's just not
> inside/outside.
>
> joel
>
> > It is correct that, if an AAAA record exists (in a DNSSEC's zone),
> > the appropriate RRSIG will be known to authoritative NS's.
> > If, via white listing, the decision is taken not to present the
> AAAA
> > record
> > (and its signature), this seems OK.
> >
> > However : not returning an AAAA record seems identical to : there
> is
> no
> > AAAA record.
> > And that - there is no AAAA record - yields to "Next Secure"
> changes
> !
> > If no AAAA record exists, for a name, the corresponding NSEC
> (NSEC3)
> > record
> > should not hold a reference to AAAA.
> > But if that AAAA record does exist, the authoritative NS will have
> NSEC
> > (NSEC3)
> > data that shows so.
> >
> > A DNSSEC query (ENDS0 + DO set) for AAAA (and the AAAA exists but
> due
> to
> > whitelisting
> > will not be returned), cannot be proven by accompanying (and
> required)
> > NSEC (NSEC3)
> > information.
> > Hence : this draft will/might make DNSSEC validating name servers
> fail.
> >
> >
> > If you look at 4.3.1.1 (Description of DNS Resolver Whitelisting)
> in
> > detail,
> > please observe :
> > 1) the caching name server (and "stub resolver") ask 2 queries
> > (there is only one line,
> > but it are two queries : one for "A", one for "AAAA")
> > 2) if the caching name server (or stub resolver) performs DNSSEC
> > validation,
> > it will never accept a reply of "NODATA" to the query of AAAA
> > (because the NSEC (NSEC3) information will not prove that
> > non-existance)
> > ((and the validating name server will repeat the query to all
> > authoritative NS's, looking for a validatable answer))
> >
> > (the final result, to the user might be that only the A record is
> useable
> > - mission accomplished ?
> > But the side effect will be that validating caching name servers
> will hit
> > *all* authoritative servers for the domain,
> > "in search of" a correctly validating answer.)
> >
> > So, while for the end-user, the result might be identical,
> > one "security impact" of this approach is
> > additional (useless) DNS traffic and
> > additional load on authoritative NS's (that implement whitelisting)
> >
> >
> > Kind regards,
> >
> > Marc Lampo
> > Security Officer
> > EURid
> >
> >
> > -----Original Message-----
> > From: The IESG [mailto:iesg-secretary@ietf.org]
> > Sent: 01 February 2012 04:09 PM
> > To: IETF-Announce
> > Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
> > Subject: [v6ops] Last Call:
> > <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt>
> > (Considerations for Transitioning Content to IPv6) to Informational
> RFC
> >
> >
> > The IESG has received a request from the IPv6 Operations WG (v6ops)
> to
> > consider the following document:
> > - 'Considerations for Transitioning Content to IPv6'
> > <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> as an
> > Informational RFC
> >
> > The IESG plans to make a decision in the next few weeks, and
> solicits
> > final comments on this action. Please send substantive comments to
> the
> > ietf@ietf.org<mailto:ietf@ietf.org> mailing lists by 2012-02-15. Exceptio=
> nally, comments
> may be
> > sent to iesg@ietf.org<mailto:iesg@ietf.org> instead. In either case, plea=
> se retain the
> > beginning of the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> > This document describes considerations for the transition of end
> user
> > content on the Internet to IPv6. While this is tailored to
> address
> > end user content, which is typically web-based, many aspects of
> this
> > document may be more broadly applicable to the transition to
> IPv6
> of
> > other applications and services. This document explores the
> > challenges involved in the transition to IPv6, potential
> migration
> > tactics, possible migration phases, and other considerations.
> The
> > audience for this document is the Internet community generally,
> > particularly IPv6 implementers.
> >
> >
> >
> >
> > The file can be obtained via
> > http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-
> whitelisting-impl
> > ications/
> >
> > IESG discussion can be tracked via
> > http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-
> whitelisting-impl
> > ications/
> >
> >
> > No IPR declarations have been submitted directly on this I-D.
> >
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org<mailto:v6ops@ietf.org>
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org>
> https://www.ietf.org/mailman/listinfo/v6ops
>
> _______________________________________________ v6ops mailing list
> v6ops@ietf.org<mailto:v6ops@ietf.org> https://www.ietf.org/mailman/listinfo=
> /v6ops
>
>
> --_000_13205C286662DE4387D9AF3AC30EF456D7674BFE2DEMBX01WFjnprn_
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
> osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
> //www.w3.org/TR/REC-html40"><head><meta http-equiv=3DContent-Type content=
> =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
> oft Word 12 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Calibri;
> panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
> {font-family:Tahoma;
> panose-1:2 11 6 4 3 5 4 4 2 4;}
> @font-face
> {font-family:Consolas;
> panose-1:2 11 6 9 2 2 4 3 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0in;
> margin-bottom:.0001pt;
> font-size:12.0pt;
> font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:blue;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {mso-style-priority:99;
> color:purple;
> text-decoration:underline;}
> span.apple-style-span
> {mso-style-name:apple-style-span;}
> span.EmailStyle18
> {mso-style-type:personal-reply;
> font-family:"Calibri","sans-serif";
> color:#1F497D;}
> .MsoChpDefault
> {mso-style-type:export-only;
> font-size:10.0pt;}
> @page WordSection1
> {size:8.5in 11.0in;
> margin:1.0in 1.0in 1.0in 1.0in;}
> div.WordSection1
> {page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
> nk=3Dpurple style=3D'word-wrap: break-word;-webkit-nbsp-mode: space;-webkit=
> -line-break: after-white-space'><div class=3DWordSection1><p class=3DMsoNor=
> mal><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";colo=
> r:#1F497D'>Folks,<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'=
> font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nb=
> sp;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fo=
> nt-family:"Calibri","sans-serif";color:#1F497D'>I will allow the dust to se=
> ttle for another 24 hours and then send the draft on for publication.<o:p><=
> /o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-f=
> amily:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p =
> class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri","sa=
> ns-serif";color:#1F497D'> &=
> nbsp; &nbs=
> p; &=
> nbsp; &nbs=
> p; &=
> nbsp; &nbs=
> p;Ron<o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11=
> .0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></s=
> pan></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"C=
> alibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style=
> =3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><di=
> v><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0i=
> n 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-fam=
> ily:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size:10.0pt;=
> font-family:"Tahoma","sans-serif"'> Livingood, Jason [mailto:Jason_Livingoo=
> d@cable.comcast.com] <br><b>Sent:</b> Thursday, February 23, 2012 8:07 AM<b=
> r><b>To:</b> Marc Lampo; Ronald Bonica; EXT - joelja@bogus.com; 'Mark Andre=
> ws'<br><b>Cc:</b> v6ops@ietf.org<br><b>Subject:</b> Re: [v6ops] Last Call: =
> <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Consider=
> ations for Transitioning Content to IPv6) to Informational RFC<o:p></o:p></=
> span></p></div></div><p class=3DMsoNormal><o:p> </o:p></p><div><div><p=
> class=3DMsoNormal><span class=3Dapple-style-span><span style=3D'font-famil=
> y:Consolas;color:black'>On 2/22/12 4:20 AM, "Marc Lampo" <<a h=
> ref=3D"mailto:marc.lampo@eurid.eu">marc.lampo@eurid.eu</a>> wrote:</span=
> ></span><span style=3D'font-family:"Calibri","sans-serif";color:black'><o:p=
> ></o:p></span></p></div></div><blockquote style=3D'border:none;border-left:=
> solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-rig=
> ht:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'>2) regarding the previous=
> sentence :<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>"So even though an authoritativ=
> e DNS server will selectively return<o:p></o:p></span></p></div><div><p cla=
> ss=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>AAAA resour=
> ce records and/or A resource records, these resource records can certa=
> inly still be signed."<o:p></o:p></span></p></div><div><p class=3DMsoN=
> ormal><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></s=
> pan></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas=
> ;color:black'>In this context - assuming we are talking about a signed doma=
> in with chain-of-trust appropriately in place - I'd propose :<o:p=
> ></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-famil=
> y:Consolas;color:black'>"So even though an authoritative DNS server wi=
> ll selectively return<o:p></o:p></span></p></div><div><p class=3DMsoNormal>=
> <span style=3D'font-family:Consolas;color:black'>AAAA resource records and/=
> or A resource records, these resource records must be signed, as =
> well as any accompanying NextSecure information that proves existence =
> and/or not-existence of AAAA resource records."<o:p></o:p></span></p><=
> /div></blockquote><div><p class=3DMsoNormal><span style=3D'color:black'><o:=
> p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'col=
> or:black'>Great suggestion, thank you for suggesting actual text! Correctio=
> n to that sentence made and will publish momentarily in a –10.<o:p></=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'color:black'>=
> <o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'=
> color:black'>- Jason<o:p></o:p></span></p></div><div><p class=3DMsoNormal><=
> span style=3D'color:black'><o:p> </o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'color:black'><o:p> </o:p></span></p></div>=
> <blockquote style=3D'border:none;border-left:solid #B5C4DF 4.5pt;padding:0i=
> n 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTR=
> IBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=3D'font-family:Co=
> nsolas;color:black'><o:p> </o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>So :<o:p></o:p></span=
> ></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;co=
> lor:black'>-> it's a *must*<o:p></o:p></span></p></div><div><p class=3DM=
> soNormal><span style=3D'font-family:Consolas;color:black'>-> it's not on=
> ly the A and/or AAAA RRs, but also the NSEC/NSEC3 RRs.<o:p></o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span st=
> yle=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div>=
> <div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>=
> Kind regards,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span st=
> yle=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div>=
> <div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>=
> Marc Lampo<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>Security Officer<o:p></o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'>EURid (for .eu)<o:p></o:p></span></p></div><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span =
> style=3D'font-family:Consolas;color:black'>From: Livingood, Jason [<a href=
> =3D"mailto:Jason_Livingood@cable.comcast.com">mailto:Jason_Livingood@cable.=
> comcast.com</a>]<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span=
> style=3D'font-family:Consolas;color:black'>Sent: 21 February 2012 08:55 PM=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>To: Ronald Bonica; Marc Lampo; EXT - <a href=3D=
> "mailto:joelja@bogus.com">joelja@bogus.com</a>; Mark Andrews<o:p></o:p></sp=
> an></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;=
> color:black'>Cc: <a href=3D"mailto:v6ops@ietf.org">v6ops@ietf.org</a><o:p><=
> /o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:=
> Consolas;color:black'>Subject: Re: [v6ops] Last Call:<o:p></o:p></span></p>=
> </div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:b=
> lack'><draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt><o:p=
> ></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-famil=
> y:Consolas;color:black'>(Considerations for Transitioning Content to IPv6) =
> to Informational RFC<o:p></o:p></span></p></div><div><p class=3DMsoNormal><=
> span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'>I made this addition in the relevant section (6.1). Let me know if i=
> t does<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'=
> font-family:Consolas;color:black'>not capture this sufficiently (or does so=
> inelegantly). <o:p></o:p></span></p></div><div><p class=3DMsoNormal><=
> span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'>Thanks<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span st=
> yle=3D'font-family:Consolas;color:black'>Jason<o:p></o:p></span></p></div><=
> div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'><=
> o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'f=
> ont-family:Consolas;color:black'>In practical terms this means that two sep=
> arate views or zones are used,<o:p></o:p></span></p></div><div><p class=3DM=
> soNormal><span style=3D'font-family:Consolas;color:black'>each of which is =
> signed, so that whether or not particular resource<o:p></o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>records exist, the existence or non-existence of the record can still be=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>validated using DNSSEC. <o:p></o:p></span>=
> </p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;col=
> or:black'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span=
> style=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div><di=
> v><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>On =
> 2/21/12 2:46 PM, "Livingood, Jason" <<a href=3D"mailto:Jason_L=
> ivingood@cable.comcast.com">Jason_Livingood@cable.comcast.com</a>><o:p><=
> /o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:=
> Consolas;color:black'>wrote:<o:p></o:p></span></p></div><div><p class=3DMso=
> Normal><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></=
> span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consola=
> s;color:black'>Good idea and it is quick & easy edit. Making the change=
> now. Will send<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span =
> style=3D'font-family:Consolas;color:black'>text momentarily.<o:p></o:p></sp=
> an></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;=
> color:black'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><s=
> pan style=3D'font-family:Consolas;color:black'>Jason<o:p></o:p></span></p><=
> /div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:bl=
> ack'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>On 2/21/12 8:44 AM, "Ronald Bon=
> ica" <<a href=3D"mailto:rbonica@juniper.net">rbonica@juniper.net</a=
> >> wrote:<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div><=
> div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>A=
> uthors,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D=
> 'font-family:Consolas;color:black'><o:p> </o:p></span></p></div><div><=
> p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>What d=
> o you think?<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div><=
> div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&=
> nbsp; &nbs=
> p; Ron<o:p></o:p></span></p></div><div><p class=3DMsoNorma=
> l><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span>=
> </p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;col=
> or:black'>-----Original Message-----<o:p></o:p></span></p></div><div><p cla=
> ss=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>From: Marc =
> Lampo [<a href=3D"mailto:marc.lampo@eurid.eu">mailto:marc.lampo@eurid.eu</a=
> >]<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font=
> -family:Consolas;color:black'>Sent: Tuesday, February 21, 2012 2:03 AM<o:p>=
> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family=
> :Consolas;color:black'>To: Ronald Bonica; EXT - <a href=3D"mailto:joelja@bo=
> gus.com">joelja@bogus.com</a><o:p></o:p></span></p></div><div><p class=3DMs=
> oNormal><span style=3D'font-family:Consolas;color:black'>Cc: <a href=3D"mai=
> lto:v6ops@ietf.org">v6ops@ietf.org</a><o:p></o:p></span></p></div><div><p c=
> lass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>Subject: =
> RE: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-<o:p></o:p=
> ></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Cons=
> olas;color:black'>implications-08.txt> (Considerations for Transitioning=
> Content to IPv6)<o:p></o:p></span></p></div><div><p class=3DMsoNormal><spa=
> n style=3D'font-family:Consolas;color:black'>to Informational RFC<o:p></o:p=
> ></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Cons=
> olas;color:black'>Hello,<o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'>I had assumed : 1 zone =
> file (and Mark Andrews correctly pointed at<o:p></o:p></span></p></div><div=
> ><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&quo=
> t;views").<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span =
> style=3D'font-family:Consolas;color:black'>Would adding this piece of infor=
> mation, directly in the RFC,<o:p></o:p></span></p></div><div><p class=3DMso=
> Normal><span style=3D'font-family:Consolas;color:black'>be useful to avoid =
> confusion for future readers ?<o:p></o:p></span></p></div><div><p class=3DM=
> soNormal><span style=3D'font-family:Consolas;color:black'>Thanks and kind r=
> egards,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D=
> 'font-family:Consolas;color:black'>Marc Lampo<o:p></o:p></span></p></div><d=
> iv><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>--=
> ---Original Message-----<o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'>From: Ronald Bonica [<a=
> href=3D"mailto:rbonica@juniper.net">mailto:rbonica@juniper.net</a>]<o:p></=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>Sent: 20 February 2012 11:55 PM<o:p></o:p></span></p><=
> /div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:bl=
> ack'>To: EXT - <a href=3D"mailto:joelja@bogus.com">joelja@bogus.com</a>; Ma=
> rc Lampo<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>Cc: <a href=3D"mailto:v6ops@ietf.org"=
> >v6ops@ietf.org</a><o:p></o:p></span></p></div><div><p class=3DMsoNormal><s=
> pan style=3D'font-family:Consolas;color:black'>Subject: RE: [v6ops] Last Ca=
> ll:<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fon=
> t-family:Consolas;color:black'><draft-ietf-v6ops-v6-aaaa-whitelisting-im=
> plications-08.txt><o:p></o:p></span></p></div><div><p class=3DMsoNormal>=
> <span style=3D'font-family:Consolas;color:black'>(Considerations for Transi=
> tioning Content to IPv6) to Informational RFC<o:p></o:p></span></p></div><d=
> iv><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>Ma=
> rc, Havard,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>Are you satisfied with the answers p=
> rovided by Joel and Mark?<o:p></o:p></span></p></div><div><p class=3DMsoNor=
> mal><span style=3D'font-family:Consolas;color:black'> &nbs=
> p; &=
> nbsp; &nbs=
> p; Ron<o:p></o:p></spa=
> n></p></div><blockquote style=3D'border:none;border-left:solid #B5C4DF 4.5p=
> t;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_=
> OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=3D'fo=
> nt-family:Consolas;color:black'>-----Original Message-----<o:p></o:p></span=
> ></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;co=
> lor:black'>From: <a href=3D"mailto:v6ops-bounces@ietf.org">v6ops-bounces@ie=
> tf.org</a> [<a href=3D"mailto:v6ops-bounces@ietf.org">mailto:v6ops-bounces@=
> ietf.org</a>] On<o:p></o:p></span></p></div></blockquote><div><p class=3DMs=
> oNormal><span style=3D'font-family:Consolas;color:black'>Behalf<o:p></o:p><=
> /span></p></div><blockquote style=3D'border:none;border-left:solid #B5C4DF =
> 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"=
> MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>Of EXT - <a href=3D"mailto:joelja@bog=
> us.com">joelja@bogus.com</a><o:p></o:p></span></p></div><div><p class=3DMso=
> Normal><span style=3D'font-family:Consolas;color:black'>Sent: Monday, Febru=
> ary 20, 2012 4:58 PM<o:p></o:p></span></p></div><div><p class=3DMsoNormal><=
> span style=3D'font-family:Consolas;color:black'>To: Marc Lampo<o:p></o:p></=
> span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consola=
> s;color:black'>Cc: <a href=3D"mailto:v6ops@ietf.org">v6ops@ietf.org</a><o:p=
> ></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-famil=
> y:Consolas;color:black'>Subject: Re: [v6ops] Last Call: <draft-ietf-v6op=
> s-v6-aaaa-<o:p></o:p></span></p></div></blockquote><div><p class=3DMsoNorma=
> l><span style=3D'font-family:Consolas;color:black'>whitelisting-<o:p></o:p>=
> </span></p></div><blockquote style=3D'border:none;border-left:solid #B5C4DF=
> 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D=
> "MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>implications-08.txt> (Consideratio=
> ns for Transitioning Content to<o:p></o:p></span></p></div></blockquote><di=
> v><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>IPv=
> 6)<o:p></o:p></span></p></div><blockquote style=3D'border:none;border-left:=
> solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-rig=
> ht:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'>to Informational RFC<o:p>=
> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family=
> :Consolas;color:black'><o:p> </o:p></span></p></div><div><p class=3DMs=
> oNormal><span style=3D'font-family:Consolas;color:black'>On 2/20/12 06:32 ,=
> Marc Lampo wrote:<o:p></o:p></span></p></div><div><p class=3DMsoNormal><sp=
> an style=3D'font-family:Consolas;color:black'>> Hello,<o:p></o:p></span>=
> </p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;col=
> or:black'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><=
> span style=3D'font-family:Consolas;color:black'>> (sorry to be late with=
> my comments, bit overloaded on my side)<o:p></o:p></span></p></div><div><p=
> class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>><o:=
> p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fon=
> t-family:Consolas;color:black'>> 6.1 Security Considerations - paragraph=
> 2 (on DNSSEC)<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span s=
> tyle=3D'font-family:Consolas;color:black'>> The text states : "ther=
> e should not be any negative impact on<o:p></o:p></span></p></div></blockqu=
> ote><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:bla=
> ck'>DNSSEC"<o:p></o:p></span></p></div><blockquote style=3D'border:non=
> e;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.7=
> 5pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p cla=
> ss=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> In my =
> opinion, this is *wrong* :<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>><o:p> </o:p>=
> </span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Conso=
> las;color:black'><o:p> </o:p></span></p></div><div><p class=3DMsoNorma=
> l><span style=3D'font-family:Consolas;color:black'>IMHO the following appli=
> es.<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fon=
> t-family:Consolas;color:black'><o:p> </o:p></span></p></div><div><p cl=
> ass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>if you hav=
> e one zone yeah I agree.<o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span=
> ></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;co=
> lor:black'>If you have two zones one with aaaa and one without (assuming th=
> is is<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'f=
> ont-family:Consolas;color:black'>done with dns views style implementation) =
> you can sign both and<o:p></o:p></span></p></div></blockquote><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>they'll<o:p><=
> /o:p></span></p></div><blockquote style=3D'border:none;border-left:solid #B=
> 5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' =
> id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span s=
> tyle=3D'font-family:Consolas;color:black'>both be valid and complete from t=
> he vantage point of a client which<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>resolves one =
> or the other of them but not both.<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'><o:p> </=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>this is a traditional split horizon problem. it's just=
> not<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fo=
> nt-family:Consolas;color:black'>inside/outside.<o:p></o:p></span></p></div>=
> <div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>=
> <o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'=
> font-family:Consolas;color:black'>joel<o:p></o:p></span></p></div><div><p c=
> lass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'><o:p>&nbs=
> p;</o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-fami=
> ly:Consolas;color:black'>> It is correct that, if an AAAA record exists =
> (in a DNSSEC's zone),<o:p></o:p></span></p></div><div><p class=3DMsoNormal>=
> <span style=3D'font-family:Consolas;color:black'>> the appropriate RRSIG=
> will be known to authoritative NS's.<o:p></o:p></span></p></div><div><p cl=
> ass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> If, v=
> ia white listing, the decision is taken not to present the<o:p></o:p></span=
> ></p></div></blockquote><div><p class=3DMsoNormal><span style=3D'font-famil=
> y:Consolas;color:black'>AAAA<o:p></o:p></span></p></div><blockquote style=
> =3D'border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;m=
> argin-left:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOT=
> E"><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>> record<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span s=
> tyle=3D'font-family:Consolas;color:black'>> (and its signature), this se=
> ems OK.<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D=
> 'font-family:Consolas;color:black'>><o:p> </o:p></span></p></div><d=
> iv><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&g=
> t; However : not returning an AAAA record seems identical to : there<o:p></=
> o:p></span></p></div></blockquote><div><p class=3DMsoNormal><span style=3D'=
> font-family:Consolas;color:black'>is<o:p></o:p></span></p></div><blockquote=
> style=3D'border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4=
> .0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLO=
> CKQUOTE"><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>no<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>> AAAA record.<o:p></o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>> And that - there is no AAAA record - yields to "Next Sec=
> ure"<o:p></o:p></span></p></div></blockquote><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'>changes<o:p></o:p></span>=
> </p></div><blockquote style=3D'border:none;border-left:solid #B5C4DF 4.5pt;=
> padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_OU=
> TLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=3D'font=
> -family:Consolas;color:black'>!<o:p></o:p></span></p></div><div><p class=3D=
> MsoNormal><span style=3D'font-family:Consolas;color:black'>> If no AAAA =
> record exists, for a name, the corresponding NSEC<o:p></o:p></span></p></di=
> v></blockquote><div><p class=3DMsoNormal><span style=3D'font-family:Consola=
> s;color:black'>(NSEC3)<o:p></o:p></span></p></div><blockquote style=3D'bord=
> er:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-le=
> ft:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div>=
> <p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> =
> record<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'=
> font-family:Consolas;color:black'>> should not hold a reference to AAAA.=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>> But if that AAAA record does exist, the au=
> thoritative NS will have<o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'>NSEC<o:p></o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>> (NSEC3)<o:p></o:p></span></p></div><div><p class=3DMsoNormal>=
> <span style=3D'font-family:Consolas;color:black'>> data that shows so.<o=
> :p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-fam=
> ily:Consolas;color:black'>><o:p> </o:p></span></p></div><div><p cla=
> ss=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> A DNSS=
> EC query (ENDS0 + DO set) for AAAA (and the AAAA exists but<o:p></o:p></spa=
> n></p></div></blockquote><div><p class=3DMsoNormal><span style=3D'font-fami=
> ly:Consolas;color:black'>due<o:p></o:p></span></p></div><blockquote style=
> =3D'border:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;m=
> argin-left:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOT=
> E"><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>to<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'f=
> ont-family:Consolas;color:black'>> whitelisting<o:p></o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>> will not be returned), cannot be proven by accompanying (and<o:p></=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>required)<o:p></o:p></span></p></div><div><p class=3DM=
> soNormal><span style=3D'font-family:Consolas;color:black'>> NSEC (NSEC3)=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>> information.<o:p></o:p></span></p></div><d=
> iv><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&g=
> t; Hence : this draft will/might make DNSSEC validating name servers<o:p></=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>fail.<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>><o:p> </o:p>=
> </span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Conso=
> las;color:black'>><o:p> </o:p></span></p></div><div><p class=3DMsoN=
> ormal><span style=3D'font-family:Consolas;color:black'>> If you look at =
> 4.3.1.1 (Description of DNS Resolver Whitelisting)<o:p></o:p></span></p></d=
> iv></blockquote><div><p class=3DMsoNormal><span style=3D'font-family:Consol=
> as;color:black'>in<o:p></o:p></span></p></div><blockquote style=3D'border:n=
> one;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3=
> .75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p c=
> lass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> deta=
> il,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fon=
> t-family:Consolas;color:black'>> please observe :<o:p></o:p></span></p><=
> /div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:bl=
> ack'>> 1) the caching name server (and "stub resolver") ask 2 =
> queries<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D=
> 'font-family:Consolas;color:black'>> (there is o=
> nly one line,<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span st=
> yle=3D'font-family:Consolas;color:black'>> =
> but it are two queries : one for "A", one for "AAAA&qu=
> ot;)<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fo=
> nt-family:Consolas;color:black'>> 2) if the caching name server (or stub=
> resolver) performs DNSSEC<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>> validation,<o:p>=
> </o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family=
> :Consolas;color:black'>> it will never accept a =
> reply of "NODATA" to the query of AAAA<o:p></o:p></span></p></div=
> ><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'=
> >> (because the NSEC (NSEC3) information will no=
> t prove that<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'>> non-existance)<o:p></o:p></spa=
> n></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;c=
> olor:black'>> ((and the validating name server w=
> ill repeat the query to all<o:p></o:p></span></p></div><div><p class=3DMsoN=
> ormal><span style=3D'font-family:Consolas;color:black'>> &nbs=
> p; authoritative NS's, looking for a validatable answer))=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>><o:p> </o:p></span></p></div><div><p c=
> lass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> (the=
> final result, to the user might be that only the A record is<o:p></o:p></s=
> pan></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas=
> ;color:black'>useable<o:p></o:p></span></p></div><div><p class=3DMsoNormal>=
> <span style=3D'font-family:Consolas;color:black'>> - mission =
> accomplished ?<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span s=
> tyle=3D'font-family:Consolas;color:black'>> But the side effe=
> ct will be that validating caching name servers<o:p></o:p></span></p></div>=
> <div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>=
> will hit<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>> *all* authoritative =
> servers for the domain,<o:p></o:p></span></p></div><div><p class=3DMsoNorma=
> l><span style=3D'font-family:Consolas;color:black'>> "i=
> n search of" a correctly validating answer.)<o:p></o:p></span></p></di=
> v><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black=
> '>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'>> So, while for the end-user, th=
> e result might be identical,<o:p></o:p></span></p></div><div><p class=3DMso=
> Normal><span style=3D'font-family:Consolas;color:black'>> one "secu=
> rity impact" of this approach is<o:p></o:p></span></p></div><div><p cl=
> ass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> addit=
> ional (useless) DNS traffic and<o:p></o:p></span></p></div><div><p class=3D=
> MsoNormal><span style=3D'font-family:Consolas;color:black'>> additional =
> load on authoritative NS's (that implement whitelisting)<o:p></o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><s=
> pan style=3D'font-family:Consolas;color:black'>><o:p> </o:p></span>=
> </p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;col=
> or:black'>> Kind regards,<o:p></o:p></span></p></div><div><p class=3DMso=
> Normal><span style=3D'font-family:Consolas;color:black'>><o:p> </o:=
> p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Con=
> solas;color:black'>> Marc Lampo<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> Security=
> Officer<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>> EURid<o:p></o:p></span></p></div=
> ><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'=
> >><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>><o:p> </o:p></span></p></di=
> v><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black=
> '>> -----Original Message-----<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> From: Th=
> e IESG [<a href=3D"mailto:iesg-secretary@ietf.org">mailto:iesg-secretary@ie=
> tf.org</a>]<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>> Sent: 01 February 2012 04:09 PM=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>> To: IETF-Announce<o:p></o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>> Cc: <a href=3D"mailto:v6ops@ietf.org">v6ops@ietf.org</a><o:p></o:p>=
> </span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Conso=
> las;color:black'>> Subject: [v6ops] Last Call:<o:p></o:p></span></p></di=
> v><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black=
> '>> <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt><o:=
> p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-fami=
> ly:Consolas;color:black'>> (Considerations for Transitioning Content to =
> IPv6) to Informational<o:p></o:p></span></p></div><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'>RFC<o:p></o:p></span></p>=
> </div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:b=
> lack'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span=
> style=3D'font-family:Consolas;color:black'>><o:p> </o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'>> The IESG has received a request from the IPv6 Operations WG (v6=
> ops)<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'fo=
> nt-family:Consolas;color:black'>to<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> consider=
> the following document:<o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'>> - 'Considerations =
> for Transitioning Content to IPv6'<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> &nb=
> sp; <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> as an=
> <o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-f=
> amily:Consolas;color:black'>> Informational RFC<o:p></o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span st=
> yle=3D'font-family:Consolas;color:black'>> The IESG plans to make a deci=
> sion in the next few weeks, and<o:p></o:p></span></p></div></blockquote><di=
> v><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>sol=
> icits<o:p></o:p></span></p></div><blockquote style=3D'border:none;border-le=
> ft:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-=
> right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNor=
> mal><span style=3D'font-family:Consolas;color:black'>> final comments on=
> this action. Please send substantive comments to<o:p></o:p></span></p></di=
> v><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black=
> '>the<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'f=
> ont-family:Consolas;color:black'>> <a href=3D"mailto:ietf@ietf.org">ietf=
> @ietf.org</a> mailing lists by 2012-02-15. Exceptionally, comments<o:p></o:=
> p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Con=
> solas;color:black'>may be<o:p></o:p></span></p></div><div><p class=3DMsoNor=
> mal><span style=3D'font-family:Consolas;color:black'>> sent to <a href=
> =3D"mailto:iesg@ietf.org">iesg@ietf.org</a> instead. In either case, please=
> retain the<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span styl=
> e=3D'font-family:Consolas;color:black'>> beginning of the Subject line t=
> o allow automated sorting.<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>><o:p> </o:p>=
> </span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Conso=
> las;color:black'>> Abstract<o:p></o:p></span></p></div><div><p class=3DM=
> soNormal><span style=3D'font-family:Consolas;color:black'>><o:p> </=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>><o:p> </o:p></span></p></div><div><p class=3D=
> MsoNormal><span style=3D'font-family:Consolas;color:black'>> =
> This document describes considerations for the transition of en=
> d<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-=
> family:Consolas;color:black'>user<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> &nb=
> sp; content on the Internet to IPv6. While this is ta=
> ilored to<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>address<o:p></o:p></span></p></div><d=
> iv><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&g=
> t; end user content, which is typically web-based, m=
> any aspects of<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span s=
> tyle=3D'font-family:Consolas;color:black'>this<o:p></o:p></span></p></div><=
> div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>&=
> gt; document may be more broadly applicable to the t=
> ransition to<o:p></o:p></span></p></div></blockquote><div><p class=3DMsoNor=
> mal><span style=3D'font-family:Consolas;color:black'>IPv6<o:p></o:p></span>=
> </p></div><blockquote style=3D'border:none;border-left:solid #B5C4DF 4.5pt;=
> padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_OU=
> TLOOK_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=3D'font=
> -family:Consolas;color:black'>of<o:p></o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> &nb=
> sp; other applications and services. This document ex=
> plores the<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>> challenge=
> s involved in the transition to IPv6, potential<o:p></o:p></span></p></div>=
> </blockquote><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;=
> color:black'>migration<o:p></o:p></span></p></div><blockquote style=3D'bord=
> er:none;border-left:solid #B5C4DF 4.5pt;padding:0in 0in 0in 4.0pt;margin-le=
> ft:3.75pt;margin-right:0in' id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"><div>=
> <p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>>&=
> nbsp; tactics, possible migration phases, and other consid=
> erations.<o:p></o:p></span></p></div></blockquote><div><p class=3DMsoNormal=
> ><span style=3D'font-family:Consolas;color:black'>The<o:p></o:p></span></p>=
> </div><blockquote style=3D'border:none;border-left:solid #B5C4DF 4.5pt;padd=
> ing:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-right:0in' id=3D"MAC_OUTLOO=
> K_ATTRIBUTION_BLOCKQUOTE"><div><p class=3DMsoNormal><span style=3D'font-fam=
> ily:Consolas;color:black'>> audience for this doc=
> ument is the Internet community generally,<o:p></o:p></span></p></div><div>=
> <p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>>&=
> nbsp; particularly IPv6 implementers.<o:p></o:p></span></p=
> ></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:=
> black'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><spa=
> n style=3D'font-family:Consolas;color:black'>><o:p> </o:p></span></=
> p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color=
> :black'>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><sp=
> an style=3D'font-family:Consolas;color:black'>><o:p> </o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>> The file can be obtained via<o:p></o:p></span></p></div><div>=
> <p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> =
> <a href=3D"http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-">http:=
> //datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-</a><o:p></o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'>whitelisting-impl<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>> ications/<o:p></=
> o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:C=
> onsolas;color:black'>><o:p> </o:p></span></p></div><div><p class=3D=
> MsoNormal><span style=3D'font-family:Consolas;color:black'>> IESG discus=
> sion can be tracked via<o:p></o:p></span></p></div><div><p class=3DMsoNorma=
> l><span style=3D'font-family:Consolas;color:black'>> <a href=3D"http://d=
> atatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-">http://datatracker.ietf.=
> org/doc/draft-ietf-v6ops-v6-aaaa-</a><o:p></o:p></span></p></div><div><p cl=
> ass=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>whitelisti=
> ng-impl<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=3D=
> 'font-family:Consolas;color:black'>> ications/<o:p></o:p></span></p></di=
> v><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black=
> '>><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'>><o:p> </o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'>> No IPR declarations have been submitted directly on this I-D.<o:p><=
> /o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:=
> Consolas;color:black'>><o:p> </o:p></span></p></div><div><p class=
> =3DMsoNormal><span style=3D'font-family:Consolas;color:black'>><o:p>&nbs=
> p;</o:p></span></p></div><div><p class=3DMsoNormal><span style=3D'font-fami=
> ly:Consolas;color:black'>><o:p> </o:p></span></p></div><div><p clas=
> s=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> _______=
> ________________________________________<o:p></o:p></span></p></div><div><p=
> class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>> v6=
> ops mailing list<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span=
> style=3D'font-family:Consolas;color:black'>> <a href=3D"mailto:v6ops@ie=
> tf.org">v6ops@ietf.org</a><o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'>> <a href=3D"https=
> ://www.ietf.org/mailman/listinfo/v6ops">https://www.ietf.org/mailman/listin=
> fo/v6ops</a><o:p></o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'>><o:p> </o:p></span></p></d=
> iv><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:blac=
> k'><o:p> </o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>_____________________________________=
> __________<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span style=
> =3D'font-family:Consolas;color:black'>v6ops mailing list<o:p></o:p></span><=
> /p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;colo=
> r:black'><a href=3D"mailto:v6ops@ietf.org">v6ops@ietf.org</a><o:p></o:p></s=
> pan></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas=
> ;color:black'><a href=3D"https://www.ietf.org/mailman/listinfo/v6ops">https=
> ://www.ietf.org/mailman/listinfo/v6ops</a><o:p></o:p></span></p></div></blo=
> ckquote><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color=
> :black'>_______________________________________________<o:p></o:p></span></=
> p></div><div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color=
> :black'>v6ops mailing list<o:p></o:p></span></p></div><div><p class=3DMsoNo=
> rmal><span style=3D'font-family:Consolas;color:black'><a href=3D"mailto:v6o=
> ps@ietf.org">v6ops@ietf.org</a><o:p></o:p></span></p></div><div><p class=3D=
> MsoNormal><span style=3D'font-family:Consolas;color:black'><a href=3D"https=
> ://www.ietf.org/mailman/listinfo/v6ops">https://www.ietf.org/mailman/listin=
> fo/v6ops</a><o:p></o:p></span></p></div><div><p class=3DMsoNormal><span sty=
> le=3D'font-family:Consolas;color:black'><o:p> </o:p></span></p></div><=
> div><p class=3DMsoNormal><span style=3D'font-family:Consolas;color:black'>_=
> ______________________________________________ v6ops mailing list<o:p></o:p=
> ></span></p></div><div><p class=3DMsoNormal><span style=3D'font-family:Cons=
> olas;color:black'><a href=3D"mailto:v6ops@ietf.org">v6ops@ietf.org</a> <a h=
> ref=3D"https://www.ietf.org/mailman/listinfo/v6ops">https://www.ietf.org/ma=
> ilman/listinfo/v6ops</a><o:p></o:p></span></p></div><div><p class=3DMsoNorm=
> al><span style=3D'font-family:Consolas;color:black'><o:p> </o:p></span=
> ></p></div></blockquote></div></div></body></html>=
>
> --_000_13205C286662DE4387D9AF3AC30EF456D7674BFE2DEMBX01WFjnprn_--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whit… The IESG
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Erik Kline
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Tina TSOU
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Fred Baker
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Erik Kline
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Lorenzo Colitti
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Fred Baker
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Mark Andrews
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Lorenzo Colitti
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Havard Eidnes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Mark Andrews
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Mark Andrews
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Lorenzo Colitti
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Havard Eidnes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Havard Eidnes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Mark Andrews
- Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-… Livingood, Jason