Re: [v6ops] NAT64/DNS64 and DNSSEC
<mohamed.boucadair@orange.com> Wed, 29 July 2015 12:38 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93581A8A44 for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 05:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmY-y0Cgh2iz for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 05:38:54 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias244.francetelecom.com [80.12.204.244]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 256BB1A8A3E for <v6ops@ietf.org>; Wed, 29 Jul 2015 05:38:54 -0700 (PDT)
Received: from omfeda08.si.francetelecom.fr (unknown [xx.xx.xx.201]) by omfeda10.si.francetelecom.fr (ESMTP service) with ESMTP id 8ABC7374784; Wed, 29 Jul 2015 14:38:52 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.18]) by omfeda08.si.francetelecom.fr (ESMTP service) with ESMTP id 6DD70384116; Wed, 29 Jul 2015 14:38:52 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM34.corporate.adroot.infra.ftgroup ([fe80::cba:56d0:a732:ef5a%19]) with mapi id 14.03.0248.002; Wed, 29 Jul 2015 14:38:52 +0200
From: mohamed.boucadair@orange.com
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Thread-Topic: [v6ops] NAT64/DNS64 and DNSSEC
Thread-Index: AQHQyekc+iplqWA6RkKlEMa3/B/mHZ3yYmyQ
Date: Wed, 29 Jul 2015 12:38:51 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933005370CE6@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com> <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com> <55B8A596.80600@cesnet.cz> <m1ZKOZT-0000CeC@stereo.hq.phicoh.net>
In-Reply-To: <m1ZKOZT-0000CeC@stereo.hq.phicoh.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.29.120616
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/XyIoqj0YHyLbhO4DNd46gn_J70Q>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 12:38:56 -0000
Dear Philip, FWIW, another solution is defined here: https://tools.ietf.org/html/rfc7225#section-3. Cheers, Med > -----Message d'origine----- > De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Philip Homburg > Envoyé : mercredi 29 juillet 2015 12:27 > À : v6ops@ietf.org > Objet : Re: [v6ops] NAT64/DNS64 and DNSSEC > > In your letter dated Wed, 29 Jul 2015 12:06:14 +0200 you wrote: > >That is why there is a requirement in RFC7050 Section 3.1. to validate > >network-specific NAT64 prefix using reverse and forward DNSSEC secured > >queries. The only problem is that there is no way so far how to seed the > >list of trusted NSP domains. Instead of asking users "Do you want to > >trust the network prefix dns64.example.org?", there could probably be > >some matching with domain name received by other means like DHCP or > DNSSL= > >=2E > > > >Of course, using the Well-known prefix is on the safe side, and should > >be IMO used wherever applicable. > > It seems to me that Section 3.1 is very far from something can be > implemented > in a practical way in a consumer device. > > I.e. if a user with a mobile device connects to a random network that > employs > NAT64, there is essentially no way for an ordinary user to verify if the > prefix is valid or not. > > Now if there would be DHCPv6 and RA options for the prefix, there would be > no need to discover the prefix using the DNS64 resolver and the problem > would > reduce to whether to trust DHCPv6 or RA. Which is already part of the > security model (i.e. RA guard can protect users from each other). > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC holger.metschulat
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ca By
- Re: [v6ops] NAT64/DNS64 and DNSSEC Fred Baker (fred)
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ondřej Caletka
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC mohamed.boucadair
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Gert Doering
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg