Re: [v6ops] NAT64/DNS64 and DNSSEC

Czerwonka Michał 1 - Hurt <Michal.Czerwonka1@orange.com> Thu, 23 July 2015 10:08 UTC

Return-Path: <Michal.Czerwonka1@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883B51A026A for <v6ops@ietfa.amsl.com>; Thu, 23 Jul 2015 03:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.965
X-Spam-Level:
X-Spam-Status: No, score=-0.965 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HELO_EQ_PL=1.135, HOST_EQ_PL=1.95, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ghMEoe3PZPjK for <v6ops@ietfa.amsl.com>; Thu, 23 Jul 2015 03:08:36 -0700 (PDT)
Received: from mailin.tpsa.pl (mailout.tpsa.pl [212.160.172.10]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6E381A0461 for <v6ops@ietf.org>; Thu, 23 Jul 2015 03:08:35 -0700 (PDT)
Received: from 10.236.62.151 (EHLO OPE10HT01.tp.gk.corp.tepenet) ([10.236.62.151]) by mailin.tpsa.pl (MOS 4.4.2a-FCS FastPath queued) with ESMTP id DWC49906; Thu, 23 Jul 2015 12:08:19 +0200 (CEST)
From: =?iso-8859-2?Q?Czerwonka_Micha=B3_1_-_Hurt?= <Michal.Czerwonka1@orange.com>
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] NAT64/DNS64 and DNSSEC
Thread-Index: AQHQxSNdhanHpTIC20amYveYP8eqwZ3o08wQ
Date: Thu, 23 Jul 2015 10:08:09 +0000
Message-ID: <2D29C51862222E49B991EF64EEB0B5B745FC2D21@OPE10MB05.tp.gk.corp.tepenet>
References: Your message of "Thu, 23 Jul 2015 09:13:26 +0200 (CEST) ." <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <m1ZIC4H-0000CdC@stereo.hq.phicoh.net>
In-Reply-To: <m1ZIC4H-0000CdC@stereo.hq.phicoh.net>
Accept-Language: pl-PL, en-US
Content-Language: pl-PL
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [126.13.107.45]
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2015.7.23.91817:17:7.944, ip=, rules=__HAS_FROM, FROM_NAME_PHRASE, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __IMS_MSGID, __HAS_MSGID, __SANE_MSGID, __IN_REP_TO, WEBMAIL_XOIP, __HAS_XOIP, __CT, __CT_TEXT_PLAIN, __CTE, __MIME_VERSION, WEBMAIL_X_IP_HDR, __ANY_URI, __HTTPS_URI, __URI_NO_PATH, __SUBJ_ALPHA_NEGATE, __URI_IN_BODY, __FORWARDED_MSG, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_800_899, __MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10, BODY_SIZE_5000_LESS, WEBMAIL_SOURCE, BODY_SIZE_1000_LESS, BODY_SIZE_2000_LESS, BODY_SIZE_7000_LESS, SINGLE_URI_IN_BODY
X-Junkmail-Status: score=10/50, host=mailin.tpsa.pl
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0C0205.55B0BD13.03EF, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2012-12-31 09:39:00, dmn=2013-03-21 17:37:32, mode=multiengine
X-Junkmail-IWF: false
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0C0205.55B0BD13.03EF, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2012-12-31 09:39:00, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: d6734786eeedf6031ca1d577d0998c30
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/TJE80tWXF_iUp_2cxOQibQMeX04>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 10:08:37 -0000

+1

no DNS64 when NAT64+CLAT (464XLAT)
but one domain must be dns64 - "ipv4only.arpa"

BR,
Mcz



-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Philip Homburg
Sent: Thursday, July 23, 2015 10:41 AM
To: v6ops@ietf.org
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC

In your letter dated Thu, 23 Jul 2015 09:13:26 +0200 (CEST) you wrote:
>as far as I know, DNS64 and DNSSEC are fundamentally incompatible, 
>because modifying A records into AAAA records breaks DNSSEC.

My conclusion is that essentially you have to do 464XLAT if the network does NAT64.

That way you can have IPv4 literals and you can run unmodified DNS.


_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops