Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
Lee Howard <lee@asgard.org> Fri, 07 December 2018 21:23 UTC
Return-Path: <lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7FFE130FEB for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 13:23:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqyFvAKQaWin for <v6ops@ietfa.amsl.com>; Fri, 7 Dec 2018 13:23:36 -0800 (PST)
Received: from atl4mhob12.registeredsite.com (atl4mhob12.registeredsite.com [209.17.115.50]) by ietfa.amsl.com (Postfix) with ESMTP id 580C5130FEE for <v6ops@ietf.org>; Fri, 7 Dec 2018 13:23:36 -0800 (PST)
Received: from mailpod.hostingplatform.com (atl4qobmail03pod6.registeredsite.com [10.30.71.211]) by atl4mhob12.registeredsite.com (8.14.4/8.14.4) with ESMTP id wB7LNXrP001787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <v6ops@ietf.org>; Fri, 7 Dec 2018 16:23:33 -0500
Received: (qmail 18140 invoked by uid 0); 7 Dec 2018 21:23:33 -0000
X-TCPREMOTEIP: 174.64.33.182
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?192.168.2.103?) (lee@asgard.org@174.64.33.182) by 0 with ESMTPA; 7 Dec 2018 21:23:33 -0000
To: v6ops@ietf.org
References: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Lee Howard <lee@asgard.org>
Message-ID: <865b83dc-15db-e293-f320-c951634dc14f@asgard.org>
Date: Fri, 07 Dec 2018 16:23:32 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <BYAPR05MB42454BAA0B704263C0F02604AEAE0@BYAPR05MB4245.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/USKISvFJAfQA_dW4zjZVHzqyWRw>
Subject: Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 21:23:39 -0000
On 12/3/18 11:56 AM, Ron Bonica wrote: > Folks, > > Each week between now and IETF 104, we will review and discuss one draft with an eye towards progressing it. > > This week, please review and comment on draft-bp-v6ops-ipv6-ready-dns-dnssec. > > Fred and Ron I like the wording of draft-byrne-v6ops-dnssecaaaa better. The substantive change here is section 7, the actual timeline, and I expect it would have the same effectiveness as rfc5211 "An Internet Transition Plan," which indicated a transition phase January 2010 - December 2011. In all other ways I find this document inferior to draft-byrne-v6ops-dnssecaaaa, a document I supported (with comments, like wanting to know if there are ever any DNSSEC validators behind DNS64). For judging consensus: I think a document would be useful in this space, but I don't think this is that document. Detailed review follows. _Abstract_: A key issue for this, is the need for a global support to A key need is for global support _Introduction_: which will help to ensure that, when a network or part of it, becomes IPv6-only, still can have access to IPv4-only resources. to which will help to ensure that, when a network has IPv6 only, devices still have access to IPv4-only hosts. DNS64 ([RFC6147 <https://tools.ietf.org/html/rfc6147>]) is a widely deployed technology allowing hundreds of millions of IPv6-only hosts/networks to reach IPv4-only resources. Sounds like there's something uniquely scalable about DNS64. The description is section 3 is better, but also completely redundant with this paragraph. The text from "Furthermore, the deployment of those transition mechanisms" to "deployment in a fair way" seems out of place for an IETF document. I completely agree that it's unfair that those without IPv4 addresses must bear the cost of connecting to those with IPv4 addresses, I'm just not sure that's a consideration for the IETF. _Section 3_ I don't understand "While DNS64([RFC6147 <https://tools.ietf.org/html/rfc6147>]) outlines may work in harmony". Is that meant to read "as outlined"? Or are there outlines in DNS64? Suggest editing: The document also states that the most complete and expedient path to avoid any negative interactions is, for the DNSSEC signed resources, to always include IPv6 AAAA resources records. to The best path to avoid any negative interactions is for all DNSSEC signed resources to always include IPv6 AAAA resource records. _Section 4_ unlikely to changes to unlikely to change not recommend to not recommended The sentence Ultimately, this guidance is simply restating [RFC6540 <https://tools.ietf.org/html/rfc6540>], that IPv6 is mandatory for all Internet systems. is true, but begs the question of why this document is needed. The text from the original introduction is better: As stated in [RFC6540 <https://tools.ietf.org/html/rfc6540>], IPv6 [RFC8200 <https://tools.ietf.org/html/rfc8200>] is not optional and failing to support IPv6 may result in failure to communicate on the internet, especially when DNSSEC signed IPv4-only resources are present. There is no reason for sections 3 and 4 to be separate sections, and there is no need for section 5, and I don't understand any reason for section 6. Section 7 was mentioned earlier. Section 8 could be rewritten to point out that if users get frequent warnings of DNSSEC validation failures (due to DNS64), they will begin to ignore them. Section 9 is not really within the authority of the IETF. ICANN does have an IPv6 program, and a proposal to track DNSSEC and IPv6 on servers is something they could do, but such a request would have to come via a liaison statement from the IAB, or even better, suggestions from the supporting organizations, including SSAC, RSSAC, ASO, gNSO, ccNSO, and maybe GAC. I hope that's useful. Lee
- [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Ron Bonica
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lencse Gábor
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec 神明達哉
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Brian E Carpenter
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec 神明達哉
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lee Howard
- Re: [v6ops] draft-bp-v6ops-ipv6-ready-dns-dnssec Lencse Gábor