Re: [v6ops] draft-byrne-v6ops-dnssecaaaa
JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Wed, 05 September 2018 22:14 UTC
Return-Path: <prvs=1786a3a8e2=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E768130DC2 for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 15:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-hQ6c3q0gNh for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 15:14:50 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98407127332 for <v6ops@ietf.org>; Wed, 5 Sep 2018 15:14:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1536185682; x=1536790482; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type; bh=sHu8K+Eg+c6O7joqXCvRignPRFtE4eAMjV Kl08ZMf9g=; b=Xn54xSaUpfipmImkcOdu2gepg83pL+e2Ev+TiXFu/D+nZmFEhz p3fl3iPyyNVtAqQLIu8x6hUU5OA1pyhhzM3YNCyxTIo1bqIT97WWkNDYc722ziIr leoMavgbM6PtEAQwxF7huMvASqbEBcjuKeJM1mhEc2ub1m16ybMmSkH9s=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Thu, 06 Sep 2018 00:14:42 +0200
X-Spam-Processed: mail.consulintel.es, Thu, 06 Sep 2018 00:14:41 +0200
Received: from [10.10.0.101] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005872570.msg for <v6ops@ietf.org>; Thu, 06 Sep 2018 00:14:41 +0200
X-MDRemoteIP: 2404:2200:ff00:1:250:b6ff:fe19:7b3e
X-MDHelo: [10.10.0.101]
X-MDArrival-Date: Thu, 06 Sep 2018 00:14:41 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1786a3a8e2=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.10.0.180812
Date: Thu, 06 Sep 2018 09:14:31 +1100
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Lee Howard <lee@asgard.org>, v6ops@ietf.org
Message-ID: <8B7A91D7-EF42-46E9-A9DF-FF6B2A8BE091@consulintel.es>
Thread-Topic: [v6ops] draft-byrne-v6ops-dnssecaaaa
References: <CO1PR05MB443E35E7AC7D4B8EF0CE463AE020@CO1PR05MB443.namprd05.prod.outlook.com> <a82ff425-5f15-e0d7-50ae-3f72137f73d3@asgard.org>
In-Reply-To: <a82ff425-5f15-e0d7-50ae-3f72137f73d3@asgard.org>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3619070075_2068428495"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EkHpsBT4jinN7y7ufzT22ayGTL0>
Subject: Re: [v6ops] draft-byrne-v6ops-dnssecaaaa
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2018 22:14:53 -0000
I’ve a similar document in sunset4. Maybe we want to combine both of them, now that sunset4 is sleeping ... https://tools.ietf.org/html/draft-palet-sunset4-ipv6-ready-dns-00 Regards, Jordi De: v6ops <v6ops-bounces@ietf.org> en nombre de Lee Howard <lee@asgard.org> Fecha: jueves, 6 de septiembre de 2018, 7:35 Para: <v6ops@ietf.org> Asunto: Re: [v6ops] draft-byrne-v6ops-dnssecaaaa I think this document should be BCP, not Informational. Section 2 s/mechanism/mechanisms in the first instance in the first sentence. How is HEv2 a transition mechanism? I'd rephrase to say, "DNS64 is a key part of widely deployed IPv6-only transition mechanisms, including several large 464xlat [RFC6877] deployments, and all NAT64 deployments." I think that clarifies that we're talking about specific deployments here. Since the discussion of DNSSEC in RFC6147 is so brief, I think it's worth discussing here, so the explanation of why it is an insufficient workaround is sufficient. I'd like to replace the last sentence of section 2 with a new paragraph: RFC6147 ("DNSSEC") outlines how validation may occur in the presence of DNSSEC: An existing DNSSEC validator (i.e., one that is unaware of DNS64) might reject all the data that comes from DNS64 as having been tampered with (even if it did not set CD when querying). If it is necessary to have validation behind the DNS64, then the validator must know how to perform the DNS64 function itself. Alternatively, the validating host may establish a trusted connection with a DNS64, and allow the DNS64 recursive resolver to do all validation on its behalf. [RFC6147 - DNS64] However, the domain administrator has no control over the client doing the validating, and clients (or their validating resolvers) cannot be expected to know about the presence of DNS64 a priori. Clients who might trust an authoritative name server for some content may not be as trusting of their carrier's DNS64 server. Section 3 s/to changes/to change s/not recommend/not recommended To soften the blow, I'd suggest adding a sentence, after "in tandem." "The IPv6 deployment may be as light weight as a translator, such as SIIT-DC [RFC7755]." There's more I'd add to the document, and it's the "So what?" For instance, in Security Considerations: "If clients trust RRs that fail validation (because they were invented by an DNS64 server), there is increased risk that they will trust other RRs that fail validation. Further, a compromised or hostile man-in-the-middle DNS64 server will be undetected, despite DNSSEC signing." In Section 2, I admit I don't know what a client actually sees, if anything. Do browsers or other applications warn that a name failed validation? I'm sure I can test it tomorrow. I don't know how to inform users or their content providers that "This record cannot be guaranteed to be accurate, since it failed DNS Security validation. It appears to be a synthetic record, since the name only has an IPv4 record." Even though my comments are longer than the draft, I like this effort, and wish I had initiated it. Lee On 09/05/2018 11:28 AM, Ron Bonica wrote: Folks, Each week between now and IETF 103, we will review and discuss one draft with an eye towards progressing it. This week, please review and comment on draft-byrne-v6ops-dnssecaaaa. Fred and Ron _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
- [v6ops] draft-byrne-v6ops-dnssecaaaa Ron Bonica
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lencse Gábor
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Erik Nygren
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa JORDI PALET MARTINEZ
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Gert Doering
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Kristian McColm
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Adam Roach
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Kristian McColm
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lencse Gábor
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer