IETF Logo Mail Archive

Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 07 December 2018 19:51 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55498130E96 for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0T2muDrm4lm for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 11:51:33 -0800 (PST)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D24C21200D7 for <v6ops@ietf.org>; Fri, 7 Dec 2018 11:51:32 -0800 (PST)
Received: by mail-pg1-x52e.google.com with SMTP id z11so2167816pgu.0 for <v6ops@ietf.org>; Fri, 07 Dec 2018 11:51:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=8n/BpP90hsBA1jkY+I6NZmyhQLsZFV0DiIYvykcKnHY=; b=nu2B8MFQCepG+ceEOVwBegeZnS8ajiv6ieGcHlr995goeBTfKHiJb6U+z9ky8XEVEz P/FVboT0kzJ7ZaFOWmiQ90+I7c4YUdkGOFCEdx2DFvvhwGfbXzJScK0/A/ijxnm6Duis YvUb6l0qFkIkVwPtOlj2uB65awQxdq/ZZ83Qd95/FeOJ5eCIsH+9T5SJR63h0BBtqiw0 ejlfVnpwc7JHK681oDvlTrC8YpfKSzgWg6o1h74VGOfq61aTmqWQiu31PMJe8f+SJKYa jbPlUJqZlvJftx7S/dRiWufJnES77ZZkHfKBwMflyPnAfqOoFX6Mx0AlxJcJBiC1vQaK qOxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=8n/BpP90hsBA1jkY+I6NZmyhQLsZFV0DiIYvykcKnHY=; b=MLlSZNFAmi4p93NP1TcAycoC/w71X1AJSfVbi2h2DdXX/gRNY4NKTLWi7+4Sd1SiAY JP4WXdHouYAG9dn+PQM38Tezy0f60ycfLHsW4EnhhSN8EHsoL2gXCs8rQ4ZNu8ULuY2L FmyDLYRAjJAYxAGDlFM2Z3p7WNFP6DPg0UMwpRy6uijQ8nGdGUdDVs+TBmxHCfdNvHZ+ FnFMgIahQ0nkLPGE6QFq4a7k/0rIqtNRx6rKvuSamo9fjucKunqDa8DBQEOYXIyqTEK1 9q/cLduW3Syy7FFx6D0xJtfHbdN1QbDDT3ejoAVBfxRryAka2X5bSiG+yCpr20Ml3ks5 UTGw==
X-Gm-Message-State: AA+aEWZRxB9XNTBBlzFCscmiMi3N6xXLubmsRb0brwycfWqLzh9GNiOx H3AqPJodr50e3LqYCgRrCkeKjy/P8So=
X-Google-Smtp-Source: AFSGD/XC4wAV/rwVixyEHphDoSEnm+qCQ8lynLrXCQ3z8IdhSe/rkYdCl2sKFueAOcDHzcNC1KDquA==
X-Received: by 2002:a63:24c2:: with SMTP id k185mr2994964pgk.406.1544212292147; Fri, 07 Dec 2018 11:51:32 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id o66sm12616081pgo.75.2018.12.07.11.51.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Dec 2018 11:51:31 -0800 (PST)
To: 神明達哉 <jinmei@wide.ad.jp>, Ronald Bonica <rbonica@juniper.net>
Cc: v6ops@ietf.org
References: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com> <CAJE_bqdT16yxhds5PxNmMDHKB=HOMJF9uQcBiOazHmnUGMjwgA@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <32f99408-8ece-81e0-c6f8-42ff253e33fa@gmail.com>
Date: Sat, 08 Dec 2018 08:51:26 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <CAJE_bqdT16yxhds5PxNmMDHKB=HOMJF9uQcBiOazHmnUGMjwgA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/CYAmT_bkRWsVLcauoNoB8aIazws>
Subject: Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 19:51:35 -0000

On 2018-12-08 08:34, 神明達哉 wrote:
> At Mon, 3 Dec 2018 16:56:51 +0000,
> Ron Bonica <rbonica@juniper.net> wrote:
> 
>> Each week between now and IETF 104, we will review and discuss one draft
> with an eye towards progressing it.
>>
>> This week, please review and comment on
> draft-bp-v6ops-ipv6-ready-dns-dnssec.
> 
> I've read draft-bp-v6ops-ipv6-ready-dns-dnssec-00.
> 
> While the motivation is laudable, I have to say I'm skeptical about
> its effectiveness if one main audience is "the IPv4 laggards".  

Unfortunately I have to agree. An IETF RFC seems like the least
likely method of achieving the desired result. I think past experience
shows that hard, persistent work through the major operational
gatherings and forums, particularly the various RIR-sponsored meetings,
with help from ISOC, is the only way to get anywhere.

    Brian

> Just
> as it may be "unfair" that an IPv6-only service provider needs to
> handle A-only DNSSEC signed zones, it would be "unfair" for these
> "laggards" that they are required to deploy IPv6 services and publish
> corresponding AAAAs when they only need (for whatever reasons)
> IPv4-only services.  I suspect referring to RFC6540 doesn't help for
> those people.
> 
> On a related note, there's one thing I'm not sure from the draft:
> whether "requiring AAAA" also means "requiring to provide the
> corresponding service over IPv6" (here I assume the existence of such
> a service; that should normally be the case in practice).  In the
> previous paragraph I assumed the draft requires this too, but if it
> only means some AAAA that is correctly signed but the address doesn't
> have to be accessible over IPv6, then it might be more acceptable for
> lazy "laggards".  Ideally such an unreachable IPv6 address should
> cause an immediate failure when an IPv6 node tries to send a packet to
> it, but some smartness like HE may be good enough to handle cases
> where those IPv6 addresses create a blackhole.  If that's the intent
> of the draft, I'd suggest making it clearer, possibly with suggesting
> some specific IPv6 addresses (maybe ::?) to be used for this purpose.
> 
> This draft seems to also talk about providing IPv6 reachability to
> name servers (which is irrelevant to providing DNSSEC-signed AAAA).
> For example Section 6 states:
> 
>    In the context of this document, and others that may be generated as
>    a consequence of it, "IPv6-Ready DNS/DNSSEC Infrastructure" means
>    that a DNS/DNSSEC server (root, TLD, authoritative NS, others) is
>    fully accessible and operational if queried either from a remote
>    dual-stack network or an IPv6-only network.
> 
> Is my understanding correct?  If so, I suspect it's more likely to be
> just ignored by the "laggards" for the same reason as that I mentioned
> above.  And, in any case, I personally think it's better if this
> document focuses on the issue of interaction between DNSSEC and
> DNS64.  If my understanding of this part is incorrect, then it's not
> clear to me what it means and I'd suggest rewriting it.
> 
> --
> JINMEI, Tatuya
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email