Re: [v6ops] NAT64/DNS64 and DNSSEC
<holger.metschulat@telekom.de> Tue, 28 July 2015 19:58 UTC
Return-Path: <holger.metschulat@telekom.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4F4C1B2EEC for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 12:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93xK8SEye7UO for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 12:58:41 -0700 (PDT)
Received: from tcmail43.telekom.de (tcmail43.telekom.de [80.149.113.173]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CBB1B2EE9 for <v6ops@ietf.org>; Tue, 28 Jul 2015 12:58:40 -0700 (PDT)
Received: from q4de8psa169.blf.telekom.de ([10.151.13.200]) by tcmail41.telekom.de with ESMTP; 28 Jul 2015 21:58:38 +0200
X-IronPort-AV: E=Sophos;i="5.15,565,1432591200"; d="scan'208";a="880272130"
Received: from he111510.emea1.cds.t-internal.com ([10.206.92.113]) by q4de8psazkj.blf.telekom.de with ESMTP/TLS/AES128-SHA; 28 Jul 2015 21:58:38 +0200
Received: from HE111507.emea1.cds.t-internal.com ([10.206.92.89]) by HE111510.emea1.cds.t-internal.com ([::1]) with mapi; Tue, 28 Jul 2015 21:58:37 +0200
From: holger.metschulat@telekom.de
To: v6ops@ietf.org
Date: Tue, 28 Jul 2015 21:58:12 +0200
Thread-Topic: [v6ops] NAT64/DNS64 and DNSSEC
Thread-Index: AdDF/N027lqkhNkeSoGZ+Wb7WfAUyQDcdTAg
Message-ID: <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com>
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com>
In-Reply-To: <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/ViVkBdY3xHnfvQsvolUO6_u9xE0>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 19:58:43 -0000
Hello, but isn't there a gap that when performing the RFC7050 64pref detection by querying ipv6only.arpa, an attacker can spoof this answer (DNSSEC won't work here, for example, the attacker - when between the client and the DNS - can return for example 2001:db8::192.0.0.170 (where 2001:db8:: is a prefix owned by the attacker)) and then attract all IPv4 traffic from the victim? Nevertheless, an answer to the proliferation of DNSSEC and at the same time increasing usage of DNS64/NAT has to be found, not to stop the success of one or the other. -- Holger Metschulat Deutsche Telekom Technik GmbH Heinrich-Hertz-Strasse 3-7, 64295 Darmstadt +49 6151 58 - 18671 (Tel.) +49 160 901 35443 (Mobil) E-Mail: holger.metschulat@telekom.de http://www.telekom.de Erleben, was verbindet. Die gesetzlichen Pflichtangaben finden Sie unter: www.telekom.de/pflichtangaben-dttechnik Große Veränderungen fangen klein an - Ressourcen schonen und nicht jede E-Mail drucken. -----Ursprüngliche Nachricht----- Von: v6ops [mailto:v6ops-bounces@ietf.org] Im Auftrag von Erik Kline Gesendet: Freitag, 24. Juli 2015 12:37 An: Philip Homburg Cc: v6ops@ietf.org Betreff: Re: [v6ops] NAT64/DNS64 and DNSSEC > I guess this is easy enough to add to for example getdns > (https://getdnsapi.net/) One question is how an application would > find out that it is running in a DNS64 environment. Another option is > for getdns to do the probing and enable this option automatically. One approach comes to ming: when a client resolver starts up, it checks ipv4only.arpa (https://tools.ietf.org/html/rfc7050#section-8.2) and after that can synthesize AAAAs as needed (DNS64 in done in the client) while getting validated answers for other things as desired. _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC holger.metschulat
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ca By
- Re: [v6ops] NAT64/DNS64 and DNSSEC Fred Baker (fred)
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ondřej Caletka
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC mohamed.boucadair
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Gert Doering
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg