IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC

Mark Andrews <marka@isc.org> Mon, 20 February 2012 20:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4522321F85BD for <v6ops@ietfa.amsl.com>; Mon, 20 Feb 2012 12:49:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.242
X-Spam-Level:
X-Spam-Status: No, score=-2.242 tagged_above=-999 required=5 tests=[AWL=-0.243, BAYES_00=-2.599, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AcyjaHYE3dCR for <v6ops@ietfa.amsl.com>; Mon, 20 Feb 2012 12:49:13 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 6B4D921F854E for <v6ops@ietf.org>; Mon, 20 Feb 2012 12:49:07 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id AA7FB5F98AF; Mon, 20 Feb 2012 20:48:49 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:f4e3:78f1:fc50:1cf2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 5575C216C31; Mon, 20 Feb 2012 20:48:47 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 556861DA0095; Tue, 21 Feb 2012 07:48:42 +1100 (EST)
To: Havard Eidnes <he@uninett.no>
From: Mark Andrews <marka@isc.org>
References: <20120201150911.25955.80172.idtracker@ietfa.amsl.com> <017501ccefdc$68025a50$38070ef0$@lampo@eurid.eu> <13205C286662DE4387D9AF3AC30EF456D7671A210C@EMBX01-WF.jnpr.net> <20120220.170216.446120856.he@uninett.no>
In-reply-to: Your message of "Mon, 20 Feb 2012 17:02:16 BST." <20120220.170216.446120856.he@uninett.no>
Date: Tue, 21 Feb 2012 07:48:42 +1100
Message-Id: <20120220204842.556861DA0095@drugs.dv.isc.org>
Cc: marc.lampo@eurid.eu, v6ops@ietf.org
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2012 20:49:14 -0000

One can whitelist with DNSSEC at the source.  It just requires
having two nsec/nsec3 chains if the zone is signed.  One with AAAA
records in the bit map field and one without.  There are a number
of ways to implement this.  It's just a matter of returning consistent
answers.

In named this can be done with views.

	view "aaaa" {
		match-clients {
			key aaaa; !key noaaaa;
			whitelist;
		};
		zone "example.com" {
			type master;
			file "aaaa/example.com.signed";
		};
	};

	view "noaaaa" {
		match-clients {
			key noaaaa; !key aaaa;
			!whitelist; any;
		};
		zone "example.com" {
			type master;
			file "noaaaa/example.com.signed";
		};
	};

If you want to whitelist in the resolver, then DO=1 + signed AAAA
disables whitelisting.  There is no point when the client can detect
that it is happening.  This is what we did for filter-aaaa in named.

In message <20120220.170216.446120856.he@uninett.no>, Havard Eidnes writes:
> > The IESG has already approved this drat for publication.  However, I
> > think that your comment is significant if you can make a case that
> > the DNS information returned to the user is less trustworthy than it
> > would have been had the authoritative DNS not been practicing
> > whitelisiting.  Can you make this case?
> 
> "Less trustworthy" would be an imprecise euphemistic term to use in
> this case.  Instead, the returned data would fail cryptographic
> validation as performed by DNSSEC, and would therefore be discarded as
> invalid ("incorrect") by a DNSSEC-validating resolver.
> 
> Therefore, it would seem to me that you can either do AAAA
> whitelisting or DNSSEC, but not successfully do both.
> 
> Regards,
> 
> - H=E5vard
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email