IETF Logo Mail Archive

Re: [v6ops] 464xlat case study (was reclassify 464XLAT as standard instead of info)

Mark Andrews <marka@isc.org> Thu, 28 September 2017 07:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E42A1353B4 for <v6ops@ietfa.amsl.com>; Thu, 28 Sep 2017 00:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFLKdV5fz2ml for <v6ops@ietfa.amsl.com>; Thu, 28 Sep 2017 00:41:37 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C30C1353CD for <v6ops@ietf.org>; Thu, 28 Sep 2017 00:41:13 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id AE92424AE68; Thu, 28 Sep 2017 07:41:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 22DCF160090; Thu, 28 Sep 2017 07:41:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 05EC0160091; Thu, 28 Sep 2017 07:41:08 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id juYu6b-c7gM1; Thu, 28 Sep 2017 07:41:07 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 9C575160090; Thu, 28 Sep 2017 07:41:07 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id BCB99886E538; Thu, 28 Sep 2017 17:41:05 +1000 (AEST)
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: Lorenzo Colitti <lorenzo@google.com>, "Heatley, N, Nick, TQB R" <nick.heatley@bt.com>, IPv6 Ops WG <v6ops@ietf.org>, james woodyatt <jhw@google.com>
From: Mark Andrews <marka@isc.org>
References: <LO1P123MB01168388285206BB7C26F029EA7A0@LO1P123MB0116.GBRP123.PROD.OUTLOOK.COM> <46045DAA-9096-43BA-A5FD-571232767726@google.com> <CAKD1Yr3vziaHfkR+hQ7QHXaz7QraKH2HLUVXUW63GpnOAj4JoQ@mail.gmail.com> <E72C3FBE-57A4-4058-B9E5-F7392C9E9101@google.com> <LO1P123MB0116805F9A18932E2D0694FEEA780@LO1P123MB0116.GBRP123.PROD.OUTLOOK.COM> <1496304E-54BE-47FA-A7F1-1AA6E163DAB1@employees.org> <CAD6AjGQdMFgv4727wHm41HmEyo2Z-PCabPHPSRSVwOi_rey7OQ@mail.gmail.com> <CAKD1Yr03zsuSBqPegs6RNbBqnJizUOLZwH+rNDi1Ocg4k+mARQ@mail.gmail.com> <20170928030630.DD2D08867238@rock.dv.isc.org> <alpine.DEB.2.20.1709280753080.18564@uplift.swm.pp.se>
In-reply-to: Your message of "Thu, 28 Sep 2017 07:57:06 +0200." <alpine.DEB.2.20.1709280753080.18564@uplift.swm.pp.se>
Date: Thu, 28 Sep 2017 17:41:05 +1000
Message-Id: <20170928074105.BCB99886E538@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hAFOIPGyfSj-aT7nVOKtVW0McPk>
Subject: Re: [v6ops] 464xlat case study (was reclassify 464XLAT as standard instead of info)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2017 07:41:41 -0000

In message <alpine.DEB.2.20.1709280753080.18564@uplift.swm.pp.se>, Mikael Abrah
amsson writes:
> So while I sympathize your "breaks DNSSEC" objection, 464XLAT actually 
> doesn't do that. DNS64 does. If all devices had 464XLAT then you wouldn't 
> have to do DNS64 (apart from the well-known "prefix detection" zones.

You do know the RFC 7050 doesn't work with DNSSEC validation enabled.
RFC 7050 specifies CD=0.

    ipv4only.arpa/AAAA (CD=0) -> validating recursive server 
			         (or local validating cache)
    ipv4only.arpa/AAAA (CD=0) -> DNS64 server
    ipv4only.arpa/AAAA ANCOUNT>0 -> validating recursive server
			        (or local validating cache)

                rejected as ipv4only.arpa is signed.

    SERVFAIL -> client

Lets try with CD=1

    ipv4only.arpa/AAAA (CD=1) -> validating recursive server 
			         (or local validating cache)
    ipv4only.arpa/AAAA (CD=1) -> DNS64 server (no synthesis as CD=1)
    ipv4only.arpa/AAAA ANCOUNT=0 -> validating recursive server
			            (or local validating cache)
    ipv4only.arpa/AAAA ANCOUNT=0 -> client (no prefixea found)

To get it to work the validating recursive server has to detect
that prefix discover is occuring.  Perform its own prefix discovery.
Synthesis a prefix discover response.

So yes 464XLAT does require DNSSEC to be broken.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email