Re: [v6ops] NAT64/DNS64 and DNSSEC

Ted Lemon <ted.lemon@nominum.com> Thu, 23 July 2015 14:05 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFCB31ACD4C for <v6ops@ietfa.amsl.com>; Thu, 23 Jul 2015 07:05:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8cdi40qWziq for <v6ops@ietfa.amsl.com>; Thu, 23 Jul 2015 07:05:43 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9BB1A1A67 for <v6ops@ietf.org>; Thu, 23 Jul 2015 07:05:42 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id D7073DA007A; Thu, 23 Jul 2015 14:05:42 +0000 (UTC)
Received: from [10.0.20.218] (71.233.41.235) by CAS-03.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.224.2; Thu, 23 Jul 2015 07:05:42 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_2EB44565-9442-47B9-A595-A5D4EBACBD9A"
MIME-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <55B0F344.4090005@gmail.com>
Date: Thu, 23 Jul 2015 10:05:40 -0400
Message-ID: <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com>
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.2102)
X-Originating-IP: [71.233.41.235]
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/e5FeP2EZAisUNMSMCDLhA85ozxM>
Cc: v6ops@ietf.org
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 14:05:45 -0000

On Jul 23, 2015, at 9:59 AM, Brian E Carpenter <brian.e.carpenter@gmail.com>; wrote:
> No, afaik it doesn't exist. I'm not certain that it needs to exist, though.
> Would it specify anything that isn't already specified?

A document that says how to implement a DNSSEC stub resolver and talks about all the cases you need to handle might be useful, but probably ought to be written as part of an implementation exercise with testing and a list of the applicable use cases (the types of networks you might connect to) to inform it.

> The code needs to exist.

Yes.   However, I am not convinced that it would be obvious to an implementor who hasn’t been through the transition mechanism wars what set of behaviors to implement in order to fully support it.