Re: [v6ops] NAT64/DNS64 and DNSSEC

<holger.metschulat@telekom.de> Tue, 28 July 2015 19:58 UTC

Return-Path: <holger.metschulat@telekom.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F4C1B2EEC for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 12:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93xK8SEye7UO for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 12:58:41 -0700 (PDT)
Received: from tcmail43.telekom.de (tcmail43.telekom.de [80.149.113.173]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CBB1B2EE9 for <v6ops@ietf.org>; Tue, 28 Jul 2015 12:58:40 -0700 (PDT)
Received: from q4de8psa169.blf.telekom.de ([10.151.13.200]) by tcmail41.telekom.de with ESMTP; 28 Jul 2015 21:58:38 +0200
X-IronPort-AV: E=Sophos;i="5.15,565,1432591200"; d="scan'208";a="880272130"
Received: from he111510.emea1.cds.t-internal.com ([10.206.92.113]) by q4de8psazkj.blf.telekom.de with ESMTP/TLS/AES128-SHA; 28 Jul 2015 21:58:38 +0200
Received: from HE111507.emea1.cds.t-internal.com ([10.206.92.89]) by HE111510.emea1.cds.t-internal.com ([::1]) with mapi; Tue, 28 Jul 2015 21:58:37 +0200
From: <holger.metschulat@telekom.de>
To: <v6ops@ietf.org>
Date: Tue, 28 Jul 2015 21:58:12 +0200
Thread-Topic: [v6ops] NAT64/DNS64 and DNSSEC
Thread-Index: AdDF/N027lqkhNkeSoGZ+Wb7WfAUyQDcdTAg
Message-ID: <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com>
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com>
In-Reply-To: <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/ViVkBdY3xHnfvQsvolUO6_u9xE0>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 19:58:43 -0000

Hello,

but isn't there a gap that when performing the RFC7050 64pref detection by querying ipv6only.arpa, an attacker can spoof this answer (DNSSEC won't work here, for example, the attacker - when between the client and the DNS - can return for example 2001:db8::192.0.0.170 (where 2001:db8:: is a prefix owned by the attacker)) and then attract all IPv4 traffic from the victim?

Nevertheless, an answer to the proliferation of DNSSEC and at the same time increasing usage of DNS64/NAT has to be found, not to stop the success of one or the other.

-- 
Holger Metschulat 
Deutsche Telekom Technik GmbH 
Heinrich-Hertz-Strasse 3-7, 64295 Darmstadt 
+49 6151 58 - 18671 (Tel.) 
+49 160 901 35443 (Mobil) 
E-Mail: holger.metschulat@telekom.de 
http://www.telekom.de 
Erleben, was verbindet.  
Die gesetzlichen Pflichtangaben finden Sie unter: www.telekom.de/pflichtangaben-dttechnik
Große Veränderungen fangen klein an - Ressourcen schonen und nicht jede E-Mail drucken. 

-----Ursprüngliche Nachricht-----
Von: v6ops [mailto:v6ops-bounces@ietf.org] Im Auftrag von Erik Kline
Gesendet: Freitag, 24. Juli 2015 12:37
An: Philip Homburg
Cc: v6ops@ietf.org
Betreff: Re: [v6ops] NAT64/DNS64 and DNSSEC

> I guess this is easy enough to add to for example getdns 
> (https://getdnsapi.net/). One question is how an application would 
> find out that it is running in a DNS64 environment. Another option is 
> for getdns to do the probing and enable this option automatically.

One approach comes to ming: when a client resolver starts up, it checks ipv4only.arpa (https://tools.ietf.org/html/rfc7050#section-8.2), and after that can synthesize AAAAs as needed (DNS64 in done in the client) while getting validated answers for other things as desired.

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops