IETF Logo Mail Archive

[v6ops] Re: DNS64 and DNSSEC -- Re: Re: IPv6-only Terminology Definition (coming back)

András Gerendás <andras.gerendas@gmail.com> Wed, 04 March 2026 12:35 UTC

Return-Path: <andras.gerendas@gmail.com>
X-Original-To: v6ops@mail2.ietf.org
Delivered-To: v6ops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 1A303C41D15E for <v6ops@mail2.ietf.org>; Wed, 4 Mar 2026 04:35:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7LMJ7eZf37K for <v6ops@mail2.ietf.org>; Wed, 4 Mar 2026 04:35:43 -0800 (PST)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B48CBC41D157 for <v6ops@ietf.org>; Wed, 4 Mar 2026 04:35:43 -0800 (PST)
Received: by mail-oi1-x235.google.com with SMTP id 5614622812f47-4648447e29bso2750221b6e.0 for <v6ops@ietf.org>; Wed, 04 Mar 2026 04:35:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1772627743; cv=none; d=google.com; s=arc-20240605; b=J5mDcLx1YDWflc5Ev137c/lhzUmS0Y6r7V7eUHVVR2gI/pCQY2aceAKIvoWcVtNWl+ nvIJNXMJ2NBiRV0qVcupY0aIO4c6+6ZJAPbBgUWc/3pu8lwa+gzzUskda2ZBSFeKnbUe 6LIUdSDK2qiuXYzlseuA5Tuq+E6pUnLErha4yw7Zyq5C/2xEdRF24Gl/Tjz7XacBTDxC qacud13294YuMdnLp1MFoidcO211oiq0ooH5dWABPbvHgf01heCO+xaDg9uk3zrrtB+T 1CH8muSEj0V9YP9/OzQtwsc5XZgojKoVeWLFoD4oeaJ5AYscQEhpMniFGscu26s6dasw Ub/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=UqlSK7IJFQPXz0k12wY/ayMeFvvTW5z/N51ze0AShsw=; fh=giZsiNP34bpxLe947gVXfPj9Pm2mtsLhiyVXDo4VH04=; b=UwwtCDUjz8f74jR2COW+S2y6ap8aJPvuFoCW49nfxLaqQ2rqlos6TeT42XKGS4Bq4G 3rYaqcUw3wRv0NAOFN6yzodORrbqx6Nd8RnXIAwnVBBLhFEeOeB2rRDRPUU0ngIz/UI0 EfkxnLQaxD7jWnA+zjFpXuvw8T27mNVYV4aMI0xx3XzK+3054UemrXt2v2MRFKEVxJHC nylw3IrKpURYVQxTQBixmQJBY6DrrGBKj7mo/pJcH0x7QLgoj/rbem/RldV4Ai+D0Vmd aGHMQ4RKQCFbAk2NI0OyWRDphNVNTmC261eLhTlWrIkdka/mvawegQS3ACI5FpBs4Lcj 6ZTw==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772627743; x=1773232543; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=UqlSK7IJFQPXz0k12wY/ayMeFvvTW5z/N51ze0AShsw=; b=m/s/+A/YyJU+0tC097FwHx2YSqXVUarZuLMrmrftiSqBwxRhmh3DcSWu6T7ZB80VpH yvGeseXDftCVozjKzGm3mviqB8ALlrCfsqXOQJHaxPIVCPCQJCNJLErlrvNB+HwvlS9/ YJXTU3/VkF0wCDEZ4Ktuxe+uVdwYlympALxEm6PsmlWJk/d2w2sAhHenhHuM9XawCSJo Je2/Xl5Efognh7syWIFMDLH34EsN63HhNG8MyECQu/h8glJKUajIlqAQYsUVWN1lAyTG oZd0Khd1J8hmyZO8UGykaooOmN94vUmuQJfGlxad8BuHHTJGaQrkeoHtsJ8kWCphKB1w zWRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772627743; x=1773232543; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UqlSK7IJFQPXz0k12wY/ayMeFvvTW5z/N51ze0AShsw=; b=pyAyilmAYbRUflzIZ52KbJ+HSeXtgr4SAGQkCHL/6P46HFX/YsuAVxNoYBdDK/4slG yBfUxD4mxYTxvDiecO0pIxwH6t9a4+5WFmZR/99hZRS7psCDivTEaaTZko+PxdJlcadv h/vWMcfUJAKB7ILY2dh55DLFZMphODavVwpLB21kKBlKWlRBwk56K7HDiIfAS4wwTzTe pw5G2Yj9+Jb2zRZgTbOc0pLebVL/Au/y24xg7b/EgUbthWqjfi3CSIwqzovEdkPPpRKM cRZ5eWOCvm25L/V9ZopTnX5M/7VNe1ZvVzvBXDw2CKwD10AtCfsofAevQ2YWplnREC60 3gTQ==
X-Gm-Message-State: AOJu0YwTKox685IP+5ITEpk2sd9E1p3RQr1yX0quO6co0ocpHq2baZz4 tgKCnayYmHABthqI5iKJI8TQZIX6MgvVpunM7bZ7C+/Yi8WeBizBJN7n8x0egPF5uWxUqfPgJ+c p+YZI2GH+5DH1MHKNnkcFs2P2wzJNKVW0iMP0
X-Gm-Gg: ATEYQzyBuryLHKlMgkrUEn0yviPxdRqPcaNX04i3eSNQMWxjEOlBYs4LFbvxwv/4EKd NvmfhGhCUoACunQJ0DaLdJ+OvoOWkqjLME7JVPS4YW4frldvMprZAwo21yZTvuYZdXqjHxaVr8H K3O6symU2X+yMq7mNufGrESXZwwM3bqxsl99TbXCSCfnySjA/xVS0SiMbrutvrqSRG1oC7sXFSq TbqL/Zrw/ENlyOml4KJalkoUbM5CBDmWfSXHJfikdOeeNz7rBREeOkgfPyfxjMl/2Et6J2NVQGW zTG/SPkW4rCB2MlOhClgyDInjBkQIQgzZbkr+hksDLGw2hd7g+maDPy78czKn4ouH+st
X-Received: by 2002:a05:6808:1913:b0:463:8fba:5e00 with SMTP id 5614622812f47-4651ac77260mr905879b6e.30.1772627742911; Wed, 04 Mar 2026 04:35:42 -0800 (PST)
MIME-Version: 1.0
From: András Gerendás <andras.gerendas@gmail.com>
Date: Wed, 04 Mar 2026 13:35:32 +0100
X-Gm-Features: AaiRm51GEu8Jc_WoeF5bi8fJaJRjrj_0lCnor0gGdvc70Cjx086pqD4PlUAENfA
Message-ID: <CAL69ZqZjovU2WhwmcN3wMbifHnLOzuuSqLb4t1VU_4GwOLr1ng@mail.gmail.com>
To: v6ops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ef7161064c320e86"
Message-ID-Hash: RFZOGYGFPVSWFREAJZGR66QHZRKFN7MG
X-Message-ID-Hash: RFZOGYGFPVSWFREAJZGR66QHZRKFN7MG
X-MailFrom: andras.gerendas@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [v6ops] Re: DNS64 and DNSSEC -- Re: Re: IPv6-only Terminology Definition (coming back)
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/nO9xeiFaTHOG24EAzEzclSBDRNY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

Hi Jordi,

"Interesting. Could you or your student describe the mechanism behind this?"

As you mention as well, there are some corner cases regarding the
validation, I have created different behaviors of my program based on
these, which are captured in boolean flags in the configuration.

- enforce_dnssec (true/false) - DNSSEC validation is performed even if the
program didn’t receive an OPT record from the client with a DO bit set in
it (to ensure validation happens for non-DNSSEC aware clients)
- remove_dnssec_rrs (true/false)- DNSSEC related RRs are removed from
responses containing synthetised records even if the client has the DO bit
set (to avoid clients, which validate the response even if the CD bit is
not active)
- validate_dnssec (true/false)- DNSSEC validation takes place (without this
setting the other two flags are ignored and the program behaves as if it
didn’t know about DNSSEC)

Out of these "remove_dnssec_rrs" was created for the scenario when the
validation would fail as the client would think that it's a forged record
(DNSSEC-validating, but DNS64-oblivious client).
The program behaves as if the domain wouldn't have DNSSEC support at all,
the behavior in this case of the observed clients is to allow the domain,
naturally this doesn't work if only DNSSEC aware domains are allowed, in
that case a DNS64 aware client, which is aware of the used prefix is needed.

- Having only the enforcement can be used in an environment with non-DNSSEC
aware clients.
- Having only the removal can be used in environments where the clients are
agressively validating DNSSEC.
- Having the first two options enabled caters for an environment with both
types of clients.

The removal case needs a secure channel and a trusted relationship between
the client and the server.

With Regards,
András

v2.40.4 | Report a Bug | By Email | System Status