IETF Logo Mail Archive

Re: [v6ops] New Version Notification for draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt

Jen Linkova <furry13@gmail.com> Wed, 17 October 2018 09:47 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31C2412D4EB for <v6ops@ietfa.amsl.com>; Wed, 17 Oct 2018 02:47:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4D0_sYx6b_2 for <v6ops@ietfa.amsl.com>; Wed, 17 Oct 2018 02:47:07 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2DD129AB8 for <v6ops@ietf.org>; Wed, 17 Oct 2018 02:47:07 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id e22-v6so29204847qto.6 for <v6ops@ietf.org>; Wed, 17 Oct 2018 02:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=i3YuWFOVeDEhmWdsU8Mw+dctevmg/91y4EWcTlWwCIo=; b=LqvIERcl4J5H97+rCg61vlaHquqv940KdRH5duJ7JofGMibgNhtmE1/mP0b6ExFfLn o3RvXP41uCTAzL/Dla/N+VVZVEosQDlZUn7l600FcrFM7rsJoOzUnA0b9QH5X4bUHgJK 9wBshhFzOmyt881KlnpTb/+3tsaPF7lsKoWa0+x8Nb0kuz4X6s+s2VXbcIx841FXlQFJ T/TvBm/QZ5LfiFF6l56zNa3E3qJ1Drung4D5iuRy1cy8UXNCR2oXoOvU2Gv4PmAt0BII 05dKlbj0XF+fgqjNRNwYvmK+QlKK7K1Nsrw2ZLs0SmXnDU4Va7qz+ivyNRDKkJHq0Vy+ 66aA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=i3YuWFOVeDEhmWdsU8Mw+dctevmg/91y4EWcTlWwCIo=; b=Zwcocf6ftwZ+7U+G9WBIKQi4TFu0Iu/L3/Wbo3eaTVXhFxDjapP6EbiIaF1fJJQILL hOyydKIP4o9NsodVJdWoOfRzWwMJDbs99vXZvXiKPCKf1YQy1F+4JtNHN73Mj87seqN9 RjHYgLI14r+D1BuL8UHmeutcijRWmBJiLOM97j32px6WWdgSCZqdXKJFa1B5QN0SNwVK Hy/vnf48Y8SUgdNuWo7uWAQYBhPVcExF+tc94yJkmC9BIXE3xRKzB3qldt7xKKPGP5Tp hMC2Xya2BFY/Fr4oF0bggAi54IPJh9babEYVyGknHTlgpeP3MJJuTkVOzjHDjdbKDjuO vLeQ==
X-Gm-Message-State: ABuFfohGzFAFRwAutYBRZ/AObQtLFkh9tssaRHSZrAOpyYz/Ie4MdFvb MDXumKwSOOty8NGLCVNbV8jrEP1PE96KzyATLy0=
X-Google-Smtp-Source: ACcGV61V544VOLZgmWxsrqRNSiuPG0lhtvUvYOZcxfrg8RX1GY9PeJ7yOzCXaRM17e7nKbcEEY8Lp8tS3PgLHdKSzec=
X-Received: by 2002:ac8:3173:: with SMTP id h48-v6mr24720452qtb.125.1539769626367; Wed, 17 Oct 2018 02:47:06 -0700 (PDT)
MIME-Version: 1.0
References: <153919621638.5900.18199747860735930931.idtracker@ietfa.amsl.com> <28C84190-026A-418D-B8E0-147B9F852018@consulintel.es>
In-Reply-To: <28C84190-026A-418D-B8E0-147B9F852018@consulintel.es>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 17 Oct 2018 20:46:54 +1100
Message-ID: <CAFU7BATrs0nqEtzViT=3-2NV3YW-9ChUO9dunCLKQp8fM+zdDQ@mail.gmail.com>
To: jordi.palet=40consulintel.es@dmarc.ietf.org
Cc: V6 Ops List <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/B6m8-3kjSdRMd3GTDEU9X05fMNk>
Subject: Re: [v6ops] New Version Notification for draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 09:47:09 -0000

On Thu, Oct 11, 2018 at 5:33 AM JORDI PALET MARTINEZ
<jordi.palet=40consulintel.es@dmarc.ietf.org> wrote:
> We have worked in an integrated version of two documents:
>
> draft-v6ops-byrne-dnssecaaaa
> draft-palet-sunset4-ipv6-ready-dns-00
>
> The new document is now:
>
> https://datatracker.ietf.org/doc/draft-bp-v6ops-ipv6-ready-dns-dnssec/?include_text=1

The new document starts with:
"This document defines the timing for implementing a worldwide
   IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate the
   global IPv6-only deployment."

So you are suggesting that DNS operators have to do some work (in
quite short timeframe) to facilitate something they might not even
care about...Not sure it would work.

Then there is a section 7 (Implementation Timeline) which look a bit
unrealistic. (I have to confess I wish we had a magic wand to make it
happen...).
If I let my imagination run wild...let's say a miracle has happened
and steps 1-3 are done.
Obviously *just* adding AAAA RR for A-only names has nothing to do
with enabling IPv6 for a service.
The service needs to have IPv6 connectivity (which might not even be
available in the specific location) it needs to be tested etc. Adding
AAAA w/o doing all of that would just negatively impact user
experience.
What would happen if a imaginary website cutekittens.example.net which
hosts popular videos of kittens (and koals) suddenly gets AAAA RR in
DNS w/o IPv6 being properly enabled for it? Or even worse, the
webservice would respond to TCP handshake but would not be able to
server users over IPv6? Well, I'm sure 99.9% of level1 techsupport
engineers would tell the unhappy customers "disable IPv6 on your
device and it would solve your issue". I'm not sure it's want we want.

Also, how exactly are you suggesting to enforce the step 4?

Last but not least: "If there is a failure at the
   deadline in complying with those requirements, the relevant NS, MUST
   be temporarily suspended until there is a subsequent successful
   verification."
So an NS for cutekittens.example.net got suspended (whatever it means).
So the server would become unreachable? How could it be fixed/get IPv6 enabled?

"MUST" in RFCs are (usually) for a reason. If you do not follow MUST
smth bad would happen.
This draft has a lot of MUST which (IMHO) could not be enforced.

To sum up, I found draft-v6ops-byrne-dnssecaaaa be more useful and
realistic. It explains why if you want to use DNSSEC for your zone,
you should consider enable IPv6.

> -----Mensaje original-----
> De: <internet-drafts@ietf.org>
> Fecha: miércoles, 10 de octubre de 2018, 20:30
> Para: Jordi Palet <jordi.palet@theipv6company.com>, Jordi Palet Martinez <jordi.palet@theipv6company.com>, Cameron Byrne <cameron.byrne@t-mobile.com>, Cameron Byrne <Cameron.Byrne@T-Mobile.com>
> Asunto: New Version Notification for draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt
>
>
>     A new version of I-D, draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt
>     has been successfully submitted by Jordi Palet Martinez and posted to the
>     IETF repository.
>
>     Name:               draft-bp-v6ops-ipv6-ready-dns-dnssec
>     Revision:   00
>     Title:              IPv6-Ready DNS/DNSSSEC Infrastructure
>     Document date:      2018-10-10
>     Group:              Individual Submission
>     Pages:              6
>     URL:            https://www.ietf.org/internet-drafts/draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt
>     Status:         https://datatracker.ietf.org/doc/draft-bp-v6ops-ipv6-ready-dns-dnssec/
>     Htmlized:       https://tools.ietf.org/html/draft-bp-v6ops-ipv6-ready-dns-dnssec-00
>     Htmlized:       https://datatracker.ietf.org/doc/html/draft-bp-v6ops-ipv6-ready-dns-dnssec
>
>
>     Abstract:
>        This document defines the timing for implementing a worldwide
>        IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate the
>        global IPv6-only deployment.
>
>        A key issue for this, is the need for a global support of DNSSEC and
>        DNS64, which in some scenarios do not work well together.  This
>        document states that any DNSSEC signed resources records should
>        include a native IPv6 resource record as the most complete and
>        expedient path to solve any deployment conflict with DNS64 and DNSSEC
>
>
>
>
>     Please note that it may take a couple of minutes from the time of submission
>     until the htmlized version and diff are available at tools.ietf.org.
>
>     The IETF Secretariat
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops



-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email