Re: [v6ops] draft-byrne-v6ops-dnssecaaaa
Lee Howard <lee@asgard.org> Wed, 05 September 2018 20:34 UTC
Return-Path: <lee@asgard.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C194130DC9 for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 13:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FkmSZ_79tLSH for <v6ops@ietfa.amsl.com>; Wed, 5 Sep 2018 13:34:25 -0700 (PDT)
Received: from atl4mhob04.registeredsite.com (atl4mhob04.registeredsite.com [209.17.115.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB883130DC7 for <v6ops@ietf.org>; Wed, 5 Sep 2018 13:34:24 -0700 (PDT)
Received: from mailpod.hostingplatform.com (atl4qobmail03pod6.registeredsite.com [10.30.71.211]) by atl4mhob04.registeredsite.com (8.14.4/8.14.4) with ESMTP id w85KYLRG031124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <v6ops@ietf.org>; Wed, 5 Sep 2018 16:34:21 -0400
Received: (qmail 32124 invoked by uid 0); 5 Sep 2018 20:34:21 -0000
X-TCPREMOTEIP: 174.64.33.182
X-Authenticated-UID: lee@asgard.org
Received: from unknown (HELO ?192.168.2.103?) (lee@asgard.org@174.64.33.182) by 0 with ESMTPA; 5 Sep 2018 20:34:21 -0000
To: v6ops@ietf.org
References: <CO1PR05MB443E35E7AC7D4B8EF0CE463AE020@CO1PR05MB443.namprd05.prod.outlook.com>
From: Lee Howard <lee@asgard.org>
Message-ID: <a82ff425-5f15-e0d7-50ae-3f72137f73d3@asgard.org>
Date: Wed, 05 Sep 2018 16:34:20 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CO1PR05MB443E35E7AC7D4B8EF0CE463AE020@CO1PR05MB443.namprd05.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------7CF2C3AF40E1321BCEEF3218"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hJbpJn1We_k-63UC3FPbv_OCXDg>
Subject: Re: [v6ops] draft-byrne-v6ops-dnssecaaaa
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Sep 2018 20:34:28 -0000
I think this document should be BCP, not Informational. Section 2 s/mechanism/mechanisms in the first instance in the first sentence. How is HEv2 a transition mechanism? I'd rephrase to say, "DNS64 is a key part of widely deployed IPv6-only transition mechanisms, including several large 464xlat [RFC6877] deployments, and all NAT64 deployments." I think that clarifies that we're talking about specific deployments here. Since the discussion of DNSSEC in RFC6147 is so brief, I think it's worth discussing here, so the explanation of why it is an insufficient workaround is sufficient. I'd like to replace the last sentence of section 2 with a new paragraph: RFC6147 ("DNSSEC") outlines how validation may occur in the presence of DNSSEC: An existing DNSSEC validator (i.e., one that is unaware of DNS64) might reject all the data that comes from DNS64 as having been tampered with (even if it did not set CD when querying). If it is necessary to have validation behind the DNS64, then the validator must know how to perform the DNS64 function itself. Alternatively, the validating host may establish a trusted connection with a DNS64, and allow the DNS64 recursive resolver to do all validation on its behalf. [RFC6147 - DNS64] However, the domain administrator has no control over the client doing the validating, and clients (or their validating resolvers) cannot be expected to know about the presence of DNS64 a priori. Clients who might trust an authoritative name server for some content may not be as trusting of their carrier's DNS64 server. Section 3 s/to changes/to change s/not recommend/not recommended To soften the blow, I'd suggest adding a sentence, after "in tandem." "The IPv6 deployment may be as light weight as a translator, such as SIIT-DC [RFC7755]." There's more I'd add to the document, and it's the "So what?" For instance, in Security Considerations: "If clients trust RRs that fail validation (because they were invented by an DNS64 server), there is increased risk that they will trust other RRs that fail validation. Further, a compromised or hostile man-in-the-middle DNS64 server will be undetected, despite DNSSEC signing." In Section 2, I admit I don't know what a client actually sees, if anything. Do browsers or other applications warn that a name failed validation? I'm sure I can test it tomorrow. I don't know how to inform users or their content providers that "This record cannot be guaranteed to be accurate, since it failed DNS Security validation. It appears to be a synthetic record, since the name only has an IPv4 record." Even though my comments are longer than the draft, I like this effort, and wish I had initiated it. Lee On 09/05/2018 11:28 AM, Ron Bonica wrote: > Folks, > > Each week between now and IETF 103, we will review and discuss one draft with an eye towards progressing it. > > This week, please review and comment on draft-byrne-v6ops-dnssecaaaa. > > Fred and Ron > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] draft-byrne-v6ops-dnssecaaaa Ron Bonica
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lencse Gábor
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Erik Nygren
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa JORDI PALET MARTINEZ
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Gert Doering
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Kristian McColm
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Adam Roach
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Kristian McColm
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lencse Gábor
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Mark Andrews
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ole Troan
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Lee Howard
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Ca By
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa Fred Baker
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer
- Re: [v6ops] draft-byrne-v6ops-dnssecaaaa David Farmer