Re: [v6ops] NAT64/DNS64 and DNSSEC

Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Fri, 24 July 2015 08:26 UTC

Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C16641A0091 for <v6ops@ietfa.amsl.com>; Fri, 24 Jul 2015 01:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YV2f0xvYautW for <v6ops@ietfa.amsl.com>; Fri, 24 Jul 2015 01:26:08 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id B18CC1A00EF for <v6ops@ietf.org>; Fri, 24 Jul 2015 01:26:07 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1ZIYIw-0000EuC; Fri, 24 Jul 2015 10:26:06 +0200
Message-Id: <m1ZIYIw-0000EuC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com>
In-reply-to: Your message of "Thu, 23 Jul 2015 10:05:40 -0400 ." <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com>
Date: Fri, 24 Jul 2015 10:26:06 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/wJf6h8CNTqWsi6jTMti4qCcBITU>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 08:26:10 -0000

Based on the discussion after Stuart's presenation about IPv6 at Apple.

Assuming NAT64 without 464XLAT, assuming we want local DNSSEC validation.

The way to make it work would be 'bump-in-the-api'. 

One way of doing that, the comes it mind is to have the DNS resolver bypass
any DNS64 by setting the CD bit and then after validation, at the request
of the application synthesize AAAA records from A records based on the
NAT64 prefix.

I guess this is easy enough to add to for example getdns
(https://getdnsapi.net/). One question is how an application would find out
that it is running in a DNS64 environment. Another option is for getdns to
do the probing and enable this option automatically.