IETF Logo Mail Archive

Re: [v6ops] draft-byrne-v6ops-dnssecaaaa

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Wed, 05 September 2018 22:14 UTC

Return-Path: <prvs=1786a3a8e2=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E768130DC2 for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 15:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-hQ6c3q0gNh for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 15:14:50 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98407127332 for <v6ops@ietf.org>; Wed, 5 Sep 2018 15:14:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1536185682; x=1536790482; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type; bh=sHu8K+Eg+c6O7joqXCvRignPRFtE4eAMjV Kl08ZMf9g=; b=Xn54xSaUpfipmImkcOdu2gepg83pL+e2Ev+TiXFu/D+nZmFEhz p3fl3iPyyNVtAqQLIu8x6hUU5OA1pyhhzM3YNCyxTIo1bqIT97WWkNDYc722ziIr leoMavgbM6PtEAQwxF7huMvASqbEBcjuKeJM1mhEc2ub1m16ybMmSkH9s=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Thu, 06 Sep 2018 00:14:42 +0200
X-Spam-Processed: mail.consulintel.es, Thu, 06 Sep 2018 00:14:41 +0200
Received: from [10.10.0.101] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50005872570.msg for <v6ops@ietf.org>; Thu, 06 Sep 2018 00:14:41 +0200
X-MDRemoteIP: 2404:2200:ff00:1:250:b6ff:fe19:7b3e
X-MDHelo: [10.10.0.101]
X-MDArrival-Date: Thu, 06 Sep 2018 00:14:41 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1786a3a8e2=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.10.0.180812
Date: Thu, 06 Sep 2018 09:14:31 +1100
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: Lee Howard <lee@asgard.org>, v6ops@ietf.org
Message-ID: <8B7A91D7-EF42-46E9-A9DF-FF6B2A8BE091@consulintel.es>
Thread-Topic: [v6ops] draft-byrne-v6ops-dnssecaaaa
References: <CO1PR05MB443E35E7AC7D4B8EF0CE463AE020@CO1PR05MB443.namprd05.prod.outlook.com> <a82ff425-5f15-e0d7-50ae-3f72137f73d3@asgard.org>
In-Reply-To: <a82ff425-5f15-e0d7-50ae-3f72137f73d3@asgard.org>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3619070075_2068428495"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EkHpsBT4jinN7y7ufzT22ayGTL0>
Subject: Re: [v6ops] draft-byrne-v6ops-dnssecaaaa
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2018 22:14:53 -0000

I’ve a similar document in sunset4.

 

Maybe we want to combine both of them, now that sunset4 is sleeping ...

 

https://tools.ietf.org/html/draft-palet-sunset4-ipv6-ready-dns-00


Regards,

Jordi

 

 

 

De: v6ops <v6ops-bounces@ietf.org> en nombre de Lee Howard <lee@asgard.org>
Fecha: jueves, 6 de septiembre de 2018, 7:35
Para: <v6ops@ietf.org>
Asunto: Re: [v6ops] draft-byrne-v6ops-dnssecaaaa

 

I think this document should be BCP, not Informational.

Section 2

s/mechanism/mechanisms in the first instance in the first sentence.

How is HEv2 a transition mechanism?

I'd rephrase to say, "DNS64 is a key part of widely deployed IPv6-only transition mechanisms, including several large 464xlat [RFC6877] deployments, and all NAT64 deployments." I think that clarifies that we're talking about specific deployments here.

Since the discussion of DNSSEC in RFC6147 is so brief, I think it's worth discussing here, so the explanation of why it is an insufficient workaround is sufficient. I'd like to replace the last sentence of section 2 with a new paragraph:

RFC6147 ("DNSSEC") outlines how validation may occur in the presence of DNSSEC:

An existing DNSSEC validator (i.e., one that is unaware of DNS64) 
   might reject all the data that comes from DNS64 as having been
   tampered with (even if it did not set CD when querying).  If it is
   necessary to have validation behind the DNS64, then the validator
   must know how to perform the DNS64 function itself.  Alternatively,
   the validating host may establish a trusted connection with a DNS64,
   and allow the DNS64 recursive resolver to do all validation on its
   behalf. [RFC6147 - DNS64]

However, the domain administrator has no control over the client doing the validating, and clients (or their validating resolvers) cannot be expected to know about the presence of DNS64 a priori. Clients who might trust an authoritative name server for some content may not be as trusting of their carrier's DNS64 server.

Section 3

s/to changes/to change
s/not recommend/not recommended
To soften the blow, I'd suggest adding a sentence, after "in tandem."  "The IPv6 deployment may be as light weight as a translator, such as SIIT-DC [RFC7755]."


There's more I'd add to the document, and it's the "So what?"

For instance, in Security Considerations:
"If clients trust RRs that fail validation (because they were invented by an DNS64 server), there is increased risk that they will trust other RRs that fail validation. Further, a compromised or hostile man-in-the-middle DNS64 server will be undetected, despite DNSSEC signing."
In Section 2, I admit I don't know what a client actually sees, if anything. Do browsers or other applications warn that a name failed validation? I'm sure I can test it tomorrow. I don't know how to inform users or their content providers that "This record cannot be guaranteed to be accurate, since it failed DNS Security validation. It appears to be a synthetic record, since the name only has an IPv4 record."


Even though my comments are longer than the draft, I like this effort, and wish I had initiated it.

Lee

On 09/05/2018 11:28 AM, Ron Bonica wrote:
Folks,
 
Each week between now and IETF 103, we will review and discuss one draft with an eye towards progressing it.
 
This week, please review and comment on draft-byrne-v6ops-dnssecaaaa.
 
                                      Fred and Ron
 
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops 



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email