Re: [v6ops] NAT64/DNS64 and DNSSEC
Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Fri, 24 July 2015 08:26 UTC
Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C16641A0091 for <v6ops@ietfa.amsl.com>; Fri, 24 Jul 2015 01:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YV2f0xvYautW for <v6ops@ietfa.amsl.com>; Fri, 24 Jul 2015 01:26:08 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id B18CC1A00EF for <v6ops@ietf.org>; Fri, 24 Jul 2015 01:26:07 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1ZIYIw-0000EuC; Fri, 24 Jul 2015 10:26:06 +0200
Message-Id: <m1ZIYIw-0000EuC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com>
In-reply-to: Your message of "Thu, 23 Jul 2015 10:05:40 -0400 ." <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com>
Date: Fri, 24 Jul 2015 10:26:06 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/wJf6h8CNTqWsi6jTMti4qCcBITU>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 08:26:10 -0000
Based on the discussion after Stuart's presenation about IPv6 at Apple. Assuming NAT64 without 464XLAT, assuming we want local DNSSEC validation. The way to make it work would be 'bump-in-the-api'. One way of doing that, the comes it mind is to have the DNS resolver bypass any DNS64 by setting the CD bit and then after validation, at the request of the application synthesize AAAA records from A records based on the NAT64 prefix. I guess this is easy enough to add to for example getdns (https://getdnsapi.net/) One question is how an application would find out that it is running in a DNS64 environment. Another option is for getdns to do the probing and enable this option automatically.
- [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC holger.metschulat
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ca By
- Re: [v6ops] NAT64/DNS64 and DNSSEC Fred Baker (fred)
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ondřej Caletka
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC mohamed.boucadair
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Gert Doering
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg