From nobody Wed Feb 22 04:23:49 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9458012979D for ; Wed, 22 Feb 2017 04:23:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.788 X-Spam-Level: X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xp5o_jCLK0F for ; Wed, 22 Feb 2017 04:23:46 -0800 (PST) Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE8E9129781 for ; Wed, 22 Feb 2017 04:23:45 -0800 (PST) Received: from [85.158.139.211] by server-1.bemta-5.messagelabs.com id 5B/A3-23102-FC28DA85; Wed, 22 Feb 2017 12:23:43 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHIsWRWlGSWpSXmKPExsUy9d9HH93zTWs jDC5+kbBYuWc/uwOjx5IlP5kCGKNYM/OS8isSWDMOPostOK1ecbMts4Fxh3IXIxeHkMAWRomn r5azQTgHGCWWHvrIDOGcYpSYPX0lexcjJwebgK5E+6xVzCC2iICmxMdpf9hAbGEBKYl/2/6xQ 8TlJf7f7mSFsPUklmydBxZnEVCVONDxBMzmFQiV2HLrC5jNKCAr8aVxNdhMZgFxiVtP5jOB2B ICAhJL9pxnhrBFJV4+/scKYStIXFrUxQpRnyfxcvV+JoiZghInZz5hmcAoOAvJqFlIymYhKYO I60gs2P2JDcLWlli28DUzjH3mwGMmZPEFjOyrGDWKU4vKUot0DU30kooy0zNKchMzc3QNDUz1 clOLixPTU3MSk4r1kvNzNzEC44IBCHYwnj3teYhRkoNJSZT3YfbaCCG+pPyUyozE4oz4otKc1 OJDjDIcHEoSvL8bgHKCRanpqRVpmTnACIVJS3DwKInwVoKkeYsLEnOLM9MhUqcYdTkO3L3ykk mIJS8/L1VKnHdDI1CRAEhRRmke3AhYsrjEKCslzMsIdJQQT0FqUW5mCar8K0ZxDkYlYd7LIKt 4MvNK4Da9AjqCCegIS2ewI0oSEVJSDYxeUTEbtvkfvOt6wsAqrOoIu9ycKYKznz19tlXi3joJ zSbFpBgZezVJmeO2fotUX11n+suQkMcZYrpi8YpZVXf37PgqqmI6afrTw9d3aT55ylylI2SUd MPk6qzpf7Xa/B9v3dj6dZtt4o4LXpt0bmcErDDTWqso1s/YuMJNgM1uyRvpwE6VR/ZKLMUZiY ZazEXFiQCvt4ISEQMAAA== X-Env-Sender: nick.heatley@ee.co.uk X-Msg-Ref: server-14.tower-206.messagelabs.com!1487766223!47331265!1 X-Originating-IP: [149.254.241.76] X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27111 invoked from network); 22 Feb 2017 12:23:43 -0000 Received: from unknown (HELO smtpml01.ee.co.uk) (149.254.241.76) by server-14.tower-206.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 22 Feb 2017 12:23:43 -0000 Received: from EEUKWV0940.EEAD.EEINT.CO.UK (Not Verified[10.246.209.217]) by smtpml01.ee.co.uk with Trustwave SEG (v7, 5, 6, 8438) id ; Wed, 22 Feb 2017 12:23:38 +0000 Received: from UK31S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.27]) by EEUKWV0940.EEAD.EEINT.CO.UK with Trustwave SEG (v7, 3, 6, 7949) id ; Wed, 22 Feb 2017 12:23:41 +0000 Received: from UK30S005EXS06.EEAD.EEINT.CO.UK ([fe80::314c:b96c:4a9a:8a79]) by UK31S005EXS02.EEAD.EEINT.CO.UK ([2002:1ef6:d01b::1ef6:d01b]) with mapi id 14.03.0279.002; Wed, 22 Feb 2017 12:23:41 +0000 From: "Heatley, Nick" To: "sunset4@ietf.org" Thread-Topic: future of dnssec? Thread-Index: AdKNBnRIe2inw1ZcRtC42Vzko3pn/g== Date: Wed, 22 Feb 2017 12:23:40 +0000 Message-ID: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.246.208.5] Content-Type: multipart/alternative; boundary="_000_6536E263028723489CCD5B6821D4B21334D566F0UK30S005EXS06EE_" MIME-Version: 1.0 Archived-At: Subject: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 12:23:47 -0000 --_000_6536E263028723489CCD5B6821D4B21334D566F0UK30S005EXS06EE_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Post exhaustion, the majority of cellular networks and some public wifi n= etworks will use DNS64. DNSSEC and DNS64 do not get along. DNSSEC for "A records only" is broken.= Is this the reason why all content must go v6? Or is the case for DNSSEC still questionable? Or do end hosts need to perform DNS64 so "DNSSEC for A records only" can = be intact? NOTICE AND DISCLAIMER This email contains BT information, which may be privileged or confidenti= al. It's meant only for the individual(s) or entity named above.=20 If you're not the intended recipient, note that disclosing, copying, dist= ributing or using this information is prohibited.=20 If you've received this email in error, please let me know immediately on= =20the email address above. Thank you. We monitor our email system, and may record your emails. EE Limited=20 Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, A= L10 9BW Registered in England no: 02382161 EE Limited is a wholly owned subsidiary of: British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 --_000_6536E263028723489CCD5B6821D4B21334D566F0UK30S005EXS06EE_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable =

Post exhaustion, the majority of cellular networks= =20and some public wifi networks will use DNS64.

DNSSEC and DNS64 do not get along. DNSSEC for R= 20;A records only” is broken.

Is this the reason why all content must go v6?

Or is the case for DNSSEC still questionable?=

Or do end hosts need to perform DNS64 so “DN= SSEC for A records only” can be intact?

NOTICE AND DISCLAIMER
This email contains BT information, which may= =20be=20 privileged or confidential. It's meant only for the individual(s) or enti= ty=20 named above.
If you're not the intended recipient, note that disclosi= ng,=20 copying, distributing or using this information is prohibited.
If you= 've=20 received this email in error, please let me know immediately on the email= =20 address above. Thank you.

We monitor our email system, and may record your emails.

EE Limited
Registered office:Trident Place, Mosquito Way, Hatfield= ,=20 Hertfordshire, AL10 9BW
Registered in England no: 02382161

EE Limited is a wholly owned subsidiary of:

British Telecommunications plc
Registered office: 81 Newgate Street= =20London=20 EC1A 7AJ
Registered in England no: 1800000

--_000_6536E263028723489CCD5B6821D4B21334D566F0UK30S005EXS06EE_-- From nobody Wed Feb 22 05:52:13 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E3F81298BA for ; Wed, 22 Feb 2017 05:52:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.749 X-Spam-Level: X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iN3e4rtkWLo8 for ; Wed, 22 Feb 2017 05:52:10 -0800 (PST) Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7998C1298A5 for ; Wed, 22 Feb 2017 05:52:10 -0800 (PST) Received: by mail-wr0-x229.google.com with SMTP id 89so2333422wrr.3 for ; Wed, 22 Feb 2017 05:52:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2H8oXJnd3fLgH2DQmnFNobZJLUIp0qAbwef7yDv6Xrg=; b=Qjw+JU64T7BvoKhGrv/ylg4qh7XX1QyjoexLQeY9R4Zvnk8GJbJaR/qsam4EbmSW5o SQdCazPLu9YHbkDsuQm1KTErdDKOc3bYgS268KpGsg8Qmuu5QEUpbt0HdQw8Yzn497Il 6n1EFZoZSfW+rEhgGk4WZL9jhGB+lVj8nGpQoIyMGmv4IWadYSvvq9Bv/fZFKHdVqXgt 7YUUD6GrRdwl37ftjPBzo+FkJUOmVmVbGnXuxnr8kZO/5sgpnN2o1KdBOADHGJXPJ0Xe fTh85fkCPiq3TZhuYN1nDIHWoAJZ+fYdwRgoJkIK2s+Q2ox3Qlk15jOWCt2bx+SvnZGv 3IxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2H8oXJnd3fLgH2DQmnFNobZJLUIp0qAbwef7yDv6Xrg=; b=VZ+xsaQdaaZEsLC0tmlokr7I+dMpsgpk4ze+B46Ss6bqsjawoONqk+VCebWSSSQ2pp lroRQeE3WE9YDtNjU62BEFXQT9ZMqbrcVwEWxwapVKPyxwEPK0GRTLq8vXNoqtGBxehS Thn2cY0k0FjVW88yNwpbFtmU3KVwO8RtLHNkLTGjoChzpvoV1XQynAgD6owV9dUCjSfx vZM66ZEpriZoVc2qdKGvDtax/ApIJL4xIoI5Glu1xTSSsoOvfsfkqJsiHMbCQEwlt+/6 PSXlDilzng3YRx6y/rHMIcx9Qk9gP2YNCyebieUlMGj9us90NmXDCKL+6OD/WhAbdIKz 18wA== X-Gm-Message-State: AMke39nSsFMeKOlc0g2bXJfHtXqfBsUB/0+VdXRygaKJb1QMqMzU8jrM6loEZcBbLMWpnUCJtH/XKaWKFHFV5w== X-Received: by 10.223.128.5 with SMTP id 5mr24140613wrk.163.1487771528892; Wed, 22 Feb 2017 05:52:08 -0800 (PST) MIME-Version: 1.0 References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> In-Reply-To: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> From: Ca By Date: Wed, 22 Feb 2017 13:51:58 +0000 Message-ID: To: "Heatley, Nick" , "sunset4@ietf.org" Content-Type: multipart/alternative; boundary=94eb2c05cf607c980405491ecdfa Archived-At: Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 13:52:12 -0000 --94eb2c05cf607c980405491ecdfa Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Feb 22, 2017 at 4:23 AM Heatley, Nick wrote= : > Post exhaustion, the majority of cellular networks and some public wifi > networks will use DNS64. > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only=E2= =80=9D is broken. > > Is this the reason why all content must go v6? > > Or is the case for DNSSEC still questionable? > It is demonstrably true that the case for DNSSEC is questioned by smart people. Let's assume that dnssec adds value. We cannnot do any dnssec without EDNS0. And, no mobile operating system i am aware of supports EDNS0 So first, we need to solve the EDNS0 issue and the total lack of mobile end point support Then, we may discuss how having ipv6 and aaaa is a requirement (thusly no dns64) for dnssec to function correctly end to end. Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A records only= =E2=80=9D can be > intact? > > > > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or > confidential. It's meant only for the individual(s) or entity named above= . > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > If you've received this email in error, please let me know immediately on > the email address above. Thank you. > > We monitor our email system, and may record your emails. > > EE Limited > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, > AL10 9BW > Registered in England no: 02382161 > > EE Limited is a wholly owned subsidiary of: > > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 > --94eb2c05cf607c980405491ecdfa Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Wed, Feb 22, 2017 at 4:23 AM He= atley, Nick <nick.heatley@ee.co= .uk> wrote:

Post exhaustion, the majority of cellular = networks and some public wifi networks will use DNS64.

DNSSEC and DNS64 do not get along. DNSSEC = for =E2=80=9CA records only=E2=80=9D is broken.<= u class=3D"gmail_msg">

Is this the reason why all content must go= v6?

Or is the case for DNSSEC still questionab= le?

It is demonstrably true= that the case for DNSSEC is questioned by smart people.=C2=A0

Let's assume that dnssec adds value.

<= div>

We cannnot do any dnssec without EDNS0.=C2=A0

And, no mobile operating system i am aware of supports EDNS0=

So first, we need to solve the EDNS0 issue and th= e total lack of mobile end point support =C2=A0

Th= en, we may discuss how having ipv6 and aaaa is a requirement (thusly no dns= 64) for dnssec to function correctly end to end.=C2=A0

Or do end hosts need to perform DNS64 so = =E2=80=9CDNSSEC for A records only=E2=80=9D can be intact?

=C2=A0

NOTICE AND DISCLAIMER
This em= ail contains BT information, which may be=20 privileged or confidential. It's meant only for the individual(s) or en= tity=20 named above.
If you're not the intended recipie= nt, note that disclosing,=20 copying, distributing or using this information is prohibited.
If you've=20 received this email in error, please let me know immediately on the email= =20 address above. Thank you.

We monitor our email system, and may record your ema= ils.

EE Limited
Registered office= :Trident Place, Mosquito Way, Hatfield,=20 Hertfordshire, AL10 9BW
Registered in England no: 02= 382161

EE Limited is a wholly owned subsidiary of:

British Telecommunications plc
Registered office: 81 Newgate Street London=20 EC1A 7AJ
Registered in England no: 1800000

_______________________________________________
sunset4 mailing list
s= unset4@ietf.org
https://www.ietf.org/mailman/listin= fo/sunset4

--94eb2c05cf607c980405491ecdfa-- From nobody Wed Feb 22 06:03:24 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19A41298D2 for ; Wed, 22 Feb 2017 06:03:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XTl8PA7t13Fs for ; Wed, 22 Feb 2017 06:03:21 -0800 (PST) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 996F21298BF for ; Wed, 22 Feb 2017 06:03:21 -0800 (PST) Received: by mail-qk0-x232.google.com with SMTP id u188so3257567qkc.2 for ; Wed, 22 Feb 2017 06:03:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=33viqxXHhL1IUtL2eZha9rWE7x603ibn/69nNEjcL58=; b=I5LLz32f2Jx6xrFZRFOr0WTcDQg5hStr3Oyf1QaAdSVmWJLopz8BewumYC0vQDt942 9Gw6cio3icwNUeTrqUkUxkZOS/FLlwwuIRO8dfOnMrNfYyUzVXD+7vGfoy1VpAYt91pn 0uYi06aO0etXq99Wz/0d/uhYrhpwNJqNkbfyMfWCpImeCuleyabJGsdTLExqkkT6aQWK S5JeugzUruj/eyyU27KoKuMuxjBX6hfyYK9kS2hovGOnjm2UiLzHe6tWo6mPiH+fggsi G5mp5VjhzpvI9M9u/j2Z7KLxv2DKtmJma6lN8NNBCm5Cdhry/RT/4tXbW4xzp7C1JkIO AP8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=33viqxXHhL1IUtL2eZha9rWE7x603ibn/69nNEjcL58=; b=LiTY9XKNCnXyGLo/vCHRJiD3cjGixLv1cSZ2Kh+owjGYUkCXIiwrQv0MoQW4J3H/uO QgwDbnVda5tf3jKF0AM22IdkjZkCwCOpM0JlLe3QoovzKT1DUHP+7R7m9137nep3ASLT QvdCgAXn4HoU0x7mHkAjPW+q8c/mkB/phlsJ3zVRxPcEeSNfY63ixdQ0JDmGAXwBdZFb Zlw8oMvhQWEeRJmn4BCjjxsTqF0XbNS2s/4ls8ffwYCTt+DkWv0A8r/COy19E7T1gEDh JWR89PeYKg566IAKNzLHuJVR+RPDd9eI8G8bPQ8xWfTcDCUy+Cx40FNxX0sB3s/nuY9m 9Xgg== X-Gm-Message-State: AMke39kZRtTtx28vO5VwUd6pDbqU1bgBbE6aJSXlhgrvZK5h1IG0iIfINqykjpTNyLjwXQ== X-Received: by 10.55.201.218 with SMTP id m87mr32985921qkl.176.1487772200696; Wed, 22 Feb 2017 06:03:20 -0800 (PST) Received: from [192.168.1.228] (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id o190sm706077qkc.65.2017.02.22.06.03.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 06:03:19 -0800 (PST) From: Ted Lemon Message-Id: <1D4AF716-822C-4B54-866E-76585B58E1FE@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_34C4BD77-FE32-4D77-BA09-DF504FCC2084" Mime-Version: 1.0 (Mac OS X Mail 10.2 $3259$) Date: Wed, 22 Feb 2017 09:03:16 -0500 In-Reply-To: To: Ca By References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> X-Mailer: Apple Mail (2.3259) Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 14:03:24 -0000 --Apple-Mail=_34C4BD77-FE32-4D77-BA09-DF504FCC2084 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Operating systems don't support EDNS0: resolvers do. What do you mean = when you say "no mobile operating system supports EDNS0"? > On Feb 22, 2017, at 8:51 AM, Ca By wrote: >=20 >=20 > On Wed, Feb 22, 2017 at 4:23 AM Heatley, Nick > wrote: > Post exhaustion, the majority of cellular networks and some public = wifi networks will use DNS64. >=20 > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = only=E2=80=9D is broken. >=20 > Is this the reason why all content must go v6? >=20 > Or is the case for DNSSEC still questionable? >=20 >=20 > It is demonstrably true that the case for DNSSEC is questioned by = smart people.=20 >=20 > Let's assume that dnssec adds value. >=20 >=20 > We cannnot do any dnssec without EDNS0.=20 >=20 > And, no mobile operating system i am aware of supports EDNS0 >=20 > So first, we need to solve the EDNS0 issue and the total lack of = mobile end point support =20 >=20 > Then, we may discuss how having ipv6 and aaaa is a requirement (thusly = no dns64) for dnssec to function correctly end to end.=20 >=20 >=20 > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A records = only=E2=80=9D can be intact? >=20 > =20 >=20 > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above.=20 > If you're not the intended recipient, note that disclosing, copying, = distributing or using this information is prohibited.=20 > If you've received this email in error, please let me know immediately = on the email address above. Thank you. >=20 > We monitor our email system, and may record your emails. >=20 > EE Limited=20 > Registered office:Trident Place, Mosquito Way, Hatfield, = Hertfordshire, AL10 9BW > Registered in England no: 02382161 >=20 > EE Limited is a wholly owned subsidiary of: >=20 > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 >=20 > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 = > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 = --Apple-Mail=_34C4BD77-FE32-4D77-BA09-DF504FCC2084 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Operating systems don't support EDNS0: resolvers do. = What do you mean when you say "no mobile operating system supports = EDNS0"?

On Feb 22, 2017, at 8:51 AM, Ca By <cb.list6@gmail.com> = wrote:

On Wed, Feb 22, 2017 at 4:23 AM = Heatley, Nick <nick.heatley@ee.co.uk> wrote:
Post exhaustion, the majority of cellular = networks and some public wifi networks will use DNS64.
DNSSEC and DNS64 do not get along. DNSSEC = for =E2=80=9CA records only=E2=80=9D is broken.
Is this the reason why all content must go = v6?
Or is the case for DNSSEC still = questionable?

It is demonstrably true that the case = for DNSSEC is questioned by smart people.

Let's assume that dnssec adds = value.

We cannnot do any dnssec without = EDNS0.

And, no mobile operating system i am aware of supports = EDNS0

So = first, we need to solve the EDNS0 issue and the total lack of mobile end = point support

Then, we may discuss how having ipv6 and aaaa is a = requirement (thusly no dns64) for dnssec to function correctly end to = end.

Or do end = hosts need to perform DNS64 so =E2=80=9CDNSSEC for A records only=E2=80=9D= can be intact?

NOTICE AND DISCLAIMER
This = email contains BT information, which may be privileged or confidential. = It's meant only for the individual(s) or entity named above.
If = you're not the intended recipient, note that disclosing, copying, = distributing or using this information is prohibited.
If = you've received this email in error, please let me know immediately on = the email address above. Thank you.
We monitor = our email system, and may record your emails.
EE= Limited
Registered office:Trident Place, Mosquito Way, = Hatfield, Hertfordshire, AL10 9BW
Registered in = England no: 02382161
EE Limited is a wholly = owned subsidiary of:
British = Telecommunications plc
Registered office: 81 = Newgate Street London EC1A 7AJ
Registered in = England no: = 1800000
_______________________________________________
sunset4 mailing list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4
_______________________________________________
sunset4 mailing = list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4

= --Apple-Mail=_34C4BD77-FE32-4D77-BA09-DF504FCC2084-- From nobody Wed Feb 22 06:04:10 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCD99129957 for ; Wed, 22 Feb 2017 06:04:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PibJEh48E3Dm for ; Wed, 22 Feb 2017 06:04:07 -0800 (PST) Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDF321298BF for ; Wed, 22 Feb 2017 06:04:06 -0800 (PST) Received: by mail-qt0-x229.google.com with SMTP id n21so3013773qta.1 for ; Wed, 22 Feb 2017 06:04:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=QSwn9lS/25e/sKfpRZ4HQE7K4vJhB1JDKzkJ2N9kFdA=; b=mUGU6MI6yyEw2ReJ7sbW89rY5HYDcTTaNVpiVdZcrhP8bl3mjKbhdmqd2cXcHD7tf6 CaWDKcrFOkj8sgckoJ2TsNbDinAPlr5R6cXlf33IXGO8vFPDipU26oQnxJKsx2WP9r84 1McfVUtVKLp1vIwEKnqOZJoG+WUqC2sLrstbwD5IYm3+9/Uaie9cWuljA5YXQvkEcKMd SRGEIvsM1NxDMGfMD2CASDz2SBRZ5F5MZO4CBFNh+H8hTfQEJN5FjNhP9yiQ+q6pc0i7 Ap23eNvkvBusrYg06Q7gL/IPRfHROjpnFNRQ1Cp95aHgK/o7xyZ0+Z6vXHDOTOU+SzB1 gaKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=QSwn9lS/25e/sKfpRZ4HQE7K4vJhB1JDKzkJ2N9kFdA=; b=bzt66PSpwHlIRU1nvkPgnGN9oPLzUa60a82VTTg3X3UgfMxv22yhcfA6h4T4CfvNmW QoW4sstMaHd5AcJdchaqR7JRkOoJu0mSkgQtWgYrArKq0N0ttm9ttWtVEl7Fv92vQSjo Zuop1fqMuRrMhAfXIEy8mAa7nIDiJjc70732egBgcM2VhoFVxvnKubv6Lih0VgF/RfgK CCRf6PyjkUeHy4P+n8u9WsrFT9YrwWwB+e3Nbeno7gOsMovnzBNEXUCYeugbyvW+S2bP zq/rPSqXgb5V8CYC03PmgBBbEoVq4v1yQnEFrBZa+hWvEvuADFSXh8zBdi9h7QWenAzH jAZw== X-Gm-Message-State: AMke39ldVGL1pSGuUQkBLt3JSkleT0/zyOIBxXJnTD+j8U+A5q5SymQkhIkIZOAYJFEiKQ== X-Received: by 10.237.44.103 with SMTP id f94mr33113370qtd.292.1487772245854; Wed, 22 Feb 2017 06:04:05 -0800 (PST) Received: from [192.168.1.228] (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id o190sm706077qkc.65.2017.02.22.06.04.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 06:04:04 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_A1DDE2C9-B1C8-4990-AFB0-B6F033F4ABD4" Mime-Version: 1.0 (Mac OS X Mail 10.2 $3259$) Date: Wed, 22 Feb 2017 09:04:02 -0500 In-Reply-To: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> To: "Heatley, Nick" References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> X-Mailer: Apple Mail (2.3259) Archived-At: Cc: "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 14:04:09 -0000 --Apple-Mail=_A1DDE2C9-B1C8-4990-AFB0-B6F033F4ABD4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Nick, the solution to this is to do DNS64 in the validator. If the = validator is a stub resolver, do the DNS64 hack there. AFAIK the = technology to support this already exists. > On Feb 22, 2017, at 7:23 AM, Heatley, Nick = wrote: >=20 > Post exhaustion, the majority of cellular networks and some public = wifi networks will use DNS64. > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = only=E2=80=9D is broken. > Is this the reason why all content must go v6? > Or is the case for DNSSEC still questionable? > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A records = only=E2=80=9D can be intact? > =20 > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or = confidential. It's meant only for the individual(s) or entity named = above.=20 > If you're not the intended recipient, note that disclosing, copying, = distributing or using this information is prohibited.=20 > If you've received this email in error, please let me know immediately = on the email address above. Thank you. >=20 > We monitor our email system, and may record your emails. >=20 > EE Limited=20 > Registered office:Trident Place, Mosquito Way, Hatfield, = Hertfordshire, AL10 9BW > Registered in England no: 02382161 >=20 > EE Limited is a wholly owned subsidiary of: >=20 > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 >=20 > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 = --Apple-Mail=_A1DDE2C9-B1C8-4990-AFB0-B6F033F4ABD4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Nick, the solution to this is to do DNS64 in the validator. = If the validator is a stub resolver, do the DNS64 hack there. = AFAIK the technology to support this already exists.

On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@ee.co.uk> wrote:

Post exhaustion, the = majority of cellular networks and some public wifi networks will use = DNS64.
DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA = records only=E2=80=9D is broken.
Is this the reason why all content must = go v6?
Or is the case for DNSSEC still questionable?
Or do end = hosts need to perform DNS64 so =E2=80=9CDNSSEC for A records only=E2=80=9D= can be intact?

NOTICE AND DISCLAIMER
This email contains BT information, which may be privileged = or confidential. It's meant only for the individual(s) or entity named = above.
If= you're not the intended recipient, note that disclosing, copying, = distributing or using this information is prohibited.
If you've = received this email in error, please let me know immediately on the = email address above. Thank you.
We monitor our email system, and may record your = emails.
EE = Limited
Registered office:Trident Place, Mosquito Way, Hatfield, = Hertfordshire, AL10 9BW
Registered in England no: = 02382161
EE = Limited is a wholly owned subsidiary of:
British Telecommunications plc
Registered = office: 81 Newgate Street London EC1A 7AJ
Registered in = England no: 1800000
_______________________________________________
sunset4 mailing = list
sunset4@ietf.org
https://www.ietf.org/mailman/listinfo/sunset4

= --Apple-Mail=_A1DDE2C9-B1C8-4990-AFB0-B6F033F4ABD4-- From nobody Wed Feb 22 06:13:38 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD941298CF for ; Wed, 22 Feb 2017 06:13:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.902 X-Spam-Level: X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBLejBlFD_O9 for ; Wed, 22 Feb 2017 06:13:36 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 765D0129961 for ; Wed, 22 Feb 2017 06:13:36 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id C650C3493E0; Wed, 22 Feb 2017 14:13:33 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B6FEA16006B; Wed, 22 Feb 2017 14:13:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A912A16006A; Wed, 22 Feb 2017 14:13:33 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PJ3UjJStUv4z; Wed, 22 Feb 2017 14:13:33 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 529C8160048; Wed, 22 Feb 2017 14:13:33 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C813564549C9; Thu, 23 Feb 2017 01:13:29 +1100 (EST) To: Ca By From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> In-reply-to: Your message of "Wed, 22 Feb 2017 13:51:58 -0000." Date: Thu, 23 Feb 2017 01:13:29 +1100 Message-Id: <20170222141329.C813564549C9@rock.dv.isc.org> Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 14:13:38 -0000 In message , Ca By writes: > On Wed, Feb 22, 2017 at 4:23 AM Heatley, Nick > wrote: > > > Post exhaustion, the majority of cellular networks and some public wifi > > networks will use DNS64. > > > > DNSSEC and DNS64 do not get along. DNSSEC for “A records only” is > > broken. > > > > Is this the reason why all content must go v6? > > > > Or is the case for DNSSEC still questionable? > > It is demonstrably true that the case for DNSSEC is questioned by smart > people. > > Let's assume that dnssec adds value. > > We cannnot do any dnssec without EDNS0. > > And, no mobile operating system i am aware of supports EDNS0 I'm aware of apps that support EDNS. That said phone vendors and mobile ISP's should be ashamed that they don't support DNSSEC today. 15% of the world lives behind validating resolvers. > So first, we need to solve the EDNS0 issue and the total lack of mobile > end point support > > Then, we may discuss how having ipv6 and aaaa is a requirement (thusly no > dns64) for dnssec to function correctly end to end. > > Or do end hosts need to perform DNS64 so “DNSSEC for A records only” can > be intact? > > NOTICE AND DISCLAIMER > > This email contains BT information, which may be privileged or > > confidential. It's meant only for the individual(s) or entity named > above. > > If you're not the intended recipient, note that disclosing, copying, > > distributing or using this information is prohibited. > > If you've received this email in error, please let me know immediately > on > > the email address above. Thank you. > > > > We monitor our email system, and may record your emails. > > > > EE Limited > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, > > AL10 9BW > > Registered in England no: 02382161 > > > > EE Limited is a wholly owned subsidiary of: > > > > British Telecommunications plc > > Registered office: 81 Newgate Street London EC1A 7AJ > > Registered in England no: 1800000 > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 22 06:36:43 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47A2C12997C for ; Wed, 22 Feb 2017 06:36:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.902 X-Spam-Level: X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWbSxMlhungp for ; Wed, 22 Feb 2017 06:36:40 -0800 (PST) Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0200912999D for ; Wed, 22 Feb 2017 06:36:40 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 262D524AE14; Wed, 22 Feb 2017 14:36:36 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1C1A1160048; Wed, 22 Feb 2017 14:36:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 08E0416006A; Wed, 22 Feb 2017 14:36:35 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7_ZxVA8JyrOp; Wed, 22 Feb 2017 14:36:34 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 18C86160048; Wed, 22 Feb 2017 14:36:33 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 9E9C56454B08; Thu, 23 Feb 2017 01:36:29 +1100 (EST) To: Ted Lemon From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> In-reply-to: Your message of "Wed, 22 Feb 2017 09:04:02 -0500." Date: Thu, 23 Feb 2017 01:36:29 +1100 Message-Id: <20170222143629.9E9C56454B08@rock.dv.isc.org> Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 14:36:42 -0000 In message , Ted Lemon writes: > > Nick, the solution to this is to do DNS64 in the validator. If the > validator is a stub resolver, do the DNS64 hack there. AFAIK the > technology to support this already exists. DNS64 really should just be made historic. It does not work with DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They provides NO BENEFIT over other methods. Every proported benefit turns out not to exist. Go do the comparitive analysis. > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick > wrote: > > > > Post exhaustion, the majority of cellular networks and some public wifi > networks will use DNS64. > > DNSSEC and DNS64 do not get along. DNSSEC for “A records only” is > broken. > > Is this the reason why all content must go v6? > > Or is the case for DNSSEC still questionable? > > Or do end hosts need to perform DNS64 so “DNSSEC for A records only” > can be intact? > > > > NOTICE AND DISCLAIMER > > This email contains BT information, which may be privileged or > confidential. It's meant only for the individual(s) or entity named > above. > > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > > If you've received this email in error, please let me know immediately > on the email address above. Thank you. > > > > We monitor our email system, and may record your emails. > > > > EE Limited > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, > AL10 9BW > > Registered in England no: 02382161 > > > > EE Limited is a wholly owned subsidiary of: > > > > British Telecommunications plc > > Registered office: 81 Newgate Street London EC1A 7AJ > > Registered in England no: 1800000 > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 22 07:00:36 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320021299D3 for ; Wed, 22 Feb 2017 07:00:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fKjYkadM90H6 for ; Wed, 22 Feb 2017 07:00:34 -0800 (PST) Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 435F31299CE for ; Wed, 22 Feb 2017 07:00:34 -0800 (PST) Received: from [206.123.31.226] (h226.viagenie.ca [206.123.31.226]) by jazz.viagenie.ca (Postfix) with ESMTPSA id E9885475A3; Wed, 22 Feb 2017 10:00:32 -0500 (EST) From: "Marc Blanchet" To: "Mark Andrews" Date: Wed, 22 Feb 2017 10:00:30 -0500 Message-ID: <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> In-Reply-To: <20170222143629.9E9C56454B08@rock.dv.isc.org> References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (1.9.6r5347) Archived-At: Cc: "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 15:00:36 -0000 On 22 Feb 2017, at 9:36, Mark Andrews wrote: > In message , Ted Lemon > writes: >> >> Nick, the solution to this is to do DNS64 in the validator. If the >> validator is a stub resolver, do the DNS64 hack there. AFAIK the >> technology to support this already exists. > > DNS64 really should just be made historic. It does not work with > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > provides NO BENEFIT over other methods. Every proported benefit > turns out not to exist. > > Go do the comparitive analysis. I respectfully disagree. dual-stack incur many additional costs operationally. deploying v6only infrastructure is more cost effective, specially over the long run. nowadays, statistics show that a large amount of trafic could be carried over IPv6, which means then that you « just » need to care about the tail of the IPv4-only destinations, which is where nat64/dns64 comes. But I guess you know all this. Marc. > >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick >> wrote: >>> >>> Post exhaustion, the majority of cellular networks and some public >>> wifi >> networks will use DNS64. >>> DNSSEC and DNS64 do not get along. DNSSEC for “A records only” >>> is >> broken. >>> Is this the reason why all content must go v6? >>> Or is the case for DNSSEC still questionable? >>> Or do end hosts need to perform DNS64 so “DNSSEC for A records >>> only” >> can be intact? >>> >>> NOTICE AND DISCLAIMER >>> This email contains BT information, which may be privileged or >> confidential. It's meant only for the individual(s) or entity named >> above. >>> If you're not the intended recipient, note that disclosing, copying, >> distributing or using this information is prohibited. >>> If you've received this email in error, please let me know >>> immediately >> on the email address above. Thank you. >>> >>> We monitor our email system, and may record your emails. >>> >>> EE Limited >>> Registered office:Trident Place, Mosquito Way, Hatfield, >>> Hertfordshire, >> AL10 9BW >>> Registered in England no: 02382161 >>> >>> EE Limited is a wholly owned subsidiary of: >>> >>> British Telecommunications plc >>> Registered office: 81 Newgate Street London EC1A 7AJ >>> Registered in England no: 1800000 >>> >>> _______________________________________________ >>> sunset4 mailing list >>> sunset4@ietf.org >>> https://www.ietf.org/mailman/listinfo/sunset4 >> > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 From nobody Wed Feb 22 08:19:56 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B10B129A39 for ; Wed, 22 Feb 2017 08:19:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.749 X-Spam-Level: X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NVT8lJ_cBpo1 for ; Wed, 22 Feb 2017 08:19:53 -0800 (PST) Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637681298AB for ; Wed, 22 Feb 2017 08:19:53 -0800 (PST) Received: by mail-wr0-x231.google.com with SMTP id 97so5530356wrb.0 for ; Wed, 22 Feb 2017 08:19:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/HS8IQqZRsw2RSkXArGIsfRTgmQiQhyhqXzSLaK+f/o=; b=WqiUedhsxzTFxfUJtKIVxgeP0k8rhRvvlgWjUdMouqeKGSaqxSXjrstIeEyrCRRdOZ tTPH/E+DHEg9SBKX2fHc7/REoped9zU5C7sRiEPUZOKKjmtbDHDX+Yi1ADDnEvnRojLN RidudbFtSzjmoIYrL7Kj1y9wqIuHew3QSIKHQ3kLakhxnNUgwG0m1loCu7UTXgLMav4z gym5mK9F3rROA5W7GDz7pzewwg7wlemWzOvrX6OUwgki1XRaWgwlSphe63ImfDtJi9zL +YZ8Jsz8cRP7l46uCYZgJNvxxivyfDRCdQQ0Le4rZPOJEwp5CiEi5wdmKMVraYkBDmAK udDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/HS8IQqZRsw2RSkXArGIsfRTgmQiQhyhqXzSLaK+f/o=; b=Z27E2sudj2fpmxyMFzlBDQKRL3EvYkYYVoRmzds8XYUsdycdncPYet0azl1NJR1DVm dnJtWlqtttUSAPrVAcw5vNx1Kck6J1cw5xXUUH9gO58nWjW8BUTCyEeenYq+wBiis7ze sJJRqg0YhG0JJbqTgNOrOqDom7vapdLSaSAYMZEqaLYZA4y3AYavFB1Zbj3tua0YxAHP cOCMxOO9C/6dwJsIB0nxPeD3w/j3kFxEhoCSSko3mhc7J+NxrJNkvn+w8+8lcq4nqQH/ HYi56PhwMhBbZoeVjCWE3/rvyb8xi8m05z1Q2NfUQEYYoGWW9ynURWegu/yMsq815xoW gSJQ== X-Gm-Message-State: AMke39meycyFKEA3HRPz1/FfzDL7qC1F4G4iikvXDOy0tDfQr9Vk5JNdwIcbIt/nmWvG2c+CfWzIEkZyckjVsA== X-Received: by 10.223.141.148 with SMTP id o20mr24934539wrb.191.1487780391768; Wed, 22 Feb 2017 08:19:51 -0800 (PST) MIME-Version: 1.0 References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> In-Reply-To: <20170222143629.9E9C56454B08@rock.dv.isc.org> From: Ca By Date: Wed, 22 Feb 2017 16:19:40 +0000 Message-ID: To: Mark Andrews , Ted Lemon Content-Type: multipart/alternative; boundary=f403045f4faec156e8054920dd00 Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 16:19:55 -0000 --f403045f4faec156e8054920dd00 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Feb 22, 2017 at 6:36 AM Mark Andrews wrote: > > In message , Ted Lemon > writes: > > > > Nick, the solution to this is to do DNS64 in the validator. If the > > validator is a stub resolver, do the DNS64 hack there. AFAIK the > > technology to support this already exists. > > DNS64 really should just be made historic. It does not work with > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > provides NO BENEFIT over other methods. Every proported benefit > turns out not to exist. > > Go do the comparitive analysis. >From a network with 10s of millions of nat64 users and zero dnssec, I disagree and suggest dnssec move to historic since it is a ddos attack vector and provides no privacy element and generally weak cryto ... also it has caused many wide scale outages for networks that have elected to use it. > > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick > > wrote: > > > > > > Post exhaustion, the majority of cellular networks and some public wi= fi > > networks will use DNS64. > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only= =E2=80=9D is > > broken. > > > Is this the reason why all content must go v6? > > > Or is the case for DNSSEC still questionable? > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A record= s only=E2=80=9D > > can be intact? > > > > > > NOTICE AND DISCLAIMER > > > This email contains BT information, which may be privileged or > > confidential. It's meant only for the individual(s) or entity named > > above. > > > If you're not the intended recipient, note that disclosing, copying, > > distributing or using this information is prohibited. > > > If you've received this email in error, please let me know immediatel= y > > on the email address above. Thank you. > > > > > > We monitor our email system, and may record your emails. > > > > > > EE Limited > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshir= e, > > AL10 9BW > > > Registered in England no: 02382161 > > > > > > EE Limited is a wholly owned subsidiary of: > > > > > > British Telecommunications plc > > > Registered office: 81 Newgate Street London EC1A 7AJ > > > Registered in England no: 1800000 > > > > > > _______________________________________________ > > > sunset4 mailing list > > > sunset4@ietf.org > > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 > --f403045f4faec156e8054920dd00 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Wed, Feb 22, 2017 at 6:36 AM Ma= rk Andrews <marka@isc.org> wrote= :

In message <B5E8C545-55B9-4ECB-B0C8-C3EEFEE= CD320@fugue.com>, Ted Lemon writes:
>
> Nick, the solution to this is to do DNS64 in the validator.=C2=A0 =C2= =A0If the
> validator is a stub resolver, do the DNS64 hack there.=C2=A0 =C2=A0AFA= IK the
> technology to support this already exists.

DNS64 really should just be made historic.=C2=A0 It does not work with
DNSSEC.=C2=A0 There has NEVER been a NEED for NAT64 or DNS64.=C2=A0 They provides NO BENEFIT over other methods.=C2=A0 Every proported benefit
turns out not to exist.

Go do the comparitive analysis.

From a netw= ork with 10s of millions of nat64 users and zero dnssec, I disagree and sug= gest dnssec move to historic since it is a ddos attack vector and provides = no privacy element and generally weak cryto ... also it has caused many wid= e scale outages for networks that have elected to use it.=C2=A0

<= br>

> > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <nick.heatley@e= e.co.uk>
> wrote:
> >
> > Post exhaustion, the majority of cellular networks and some publi= c wifi
> networks will use DNS64.
> > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = only=E2=80=9D is
> broken.
> > Is this the reason why all content must go v6?
> > Or is the case for DNSSEC still questionable?
> > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A re= cords only=E2=80=9D
> can be intact?
> >
> > NOTICE AND DISCLAIMER
> > This email contains BT information, which may be privileged or > confidential. It's meant only for the individual(s) or entity name= d
> above.
> > If you're not the intended recipient, note that disclosing, c= opying,
> distributing or using this information is prohibited.
> > If you've received this email in error, please let me know im= mediately
> on the email address above. Thank you.
> >
> > We monitor our email system, and may record your emails.
> >
> > EE Limited
> > Registered office:Trident Place, Mosquito Way, Hatfield, Hertford= shire,
> AL10 9BW
> > Registered in England no: 02382161
> >
> > EE Limited is a wholly owned subsidiary of:
> >
> > British Telecommunications plc
> > Registered office: 81 Newgate Street London EC1A 7AJ
> > Registered in England no: 1800000
> >
> > _______________________________________________
> > sunset4 mailing list
> > sunset4@ietf.org <mailto:sunset4@ietf.org>
> > https://www.ietf.org/mail= man/listinfo/sunset4
> <https://www.ietf.org/mailm= an/listinfo/sunset4>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0INTERNET: marka@isc.org

_______________________________________________
sunset4 mailing list
s= unset4@ietf.org
https://www.ietf.org/mailman/listin= fo/sunset4

--f403045f4faec156e8054920dd00-- From nobody Wed Feb 22 08:35:35 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6B2A129A5A for ; Wed, 22 Feb 2017 08:35:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i13h3u_v4p9U for ; Wed, 22 Feb 2017 08:35:30 -0800 (PST) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38F221294FD for ; Wed, 22 Feb 2017 08:35:30 -0800 (PST) Received: by mail-qt0-x230.google.com with SMTP id b16so7100891qte.0 for ; Wed, 22 Feb 2017 08:35:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=z0HsFBNRgIvPc+nc3gWM+zUKCDinrNGRt2kN9pRSG9E=; b=rxpNd5e0qAnhlsknwjm9Ze45D9u0IDnORIwfD6d8kHSwbHGjjKfeQoMx2S8uKTDGHb JRqjs8jAUN8/MDXuVJMhHw+Ylu78RbnE40Rfthh7EXpF89ZWFZij66twY9X/0+sz/UuA c+8/snyv0rnEuGfdH2APWHM6OmYWTVRtYGR388aXfSxuLqNfzd8M4KXgNp2Ij+vU8BhH 3ocTgwkSwUBQ5CZzF6im6ay098gXiXB7mrTpWm2wVBp0Jh+W5zXgoUC83zdHcOYpdCM/ bzDy7a0fCp6YUAWFtLA/PRbQYSTirVJMCU1Coe8xVPII1cqIITmjbWXXuXXLcKd9uCWy iOLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=z0HsFBNRgIvPc+nc3gWM+zUKCDinrNGRt2kN9pRSG9E=; b=S6WVNocK36n7sEEEeVrqqjFL2RAQVCFsY2ELKZ2QQmDD4xxzC172TjBDdXFRctV0bL FcUjydle+6i8DkPHoCYRyvtabzGoYqfhhCWPYQssGRAXewGgslFaTVav3Wu/Ts94kPMy IU/ar3v6HrAAaAfwjOonGRZTWGZVvWJ1z6npBouVHk9HQDAzKB8Q64qd8f1hhBD6++Kt U+ZMzvB9gRE39yXopErM7h4ja1QOrbWDOcMtXc8Pd23w+m4rHJ2eOjYCEKAsDTC4J3aX oiEe+UOkkMQiULhQrRy6oiVJlakuHaKahkn0VLlT04NvX7lHnbcU4+1kCuohTfR4fC5F CIBQ== X-Gm-Message-State: AMke39m8AGMPBQUPpmVMr6YDVTnFtXTZ4S0ZWmM2d3I4GGGBoTGDGOHyzCgO2T3Cw6OzOg== X-Received: by 10.200.1.206 with SMTP id b14mr8231838qtg.285.1487781329186; Wed, 22 Feb 2017 08:35:29 -0800 (PST) Received: from [192.168.1.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id z139sm980472qkb.29.2017.02.22.08.35.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 08:35:28 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_FE7496BF-B35D-4627-AED4-7582B7C5F68E" Mime-Version: 1.0 (Mac OS X Mail 10.2 $3259$) Date: Wed, 22 Feb 2017 11:35:26 -0500 In-Reply-To: <20170222143629.9E9C56454B08@rock.dv.isc.org> To: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> X-Mailer: Apple Mail (2.3259) Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 16:35:32 -0000 --Apple-Mail=_FE7496BF-B35D-4627-AED4-7582B7C5F68E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 22, 2017, at 9:36 AM, Mark Andrews wrote: > DNS64 really should just be made historic. It does not work with > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > provides NO BENEFIT over other methods. Every proported benefit > turns out not to exist. (A) I find NAT64 to be a very convenient solution, and best of all it = tests IPv6 functionality in apps, so I know which apps will not work on = a v6-only network. (B) DNS64 works _fine_ with DNSSEC as long as you do the DNS64 = translation _after you validate_. --Apple-Mail=_FE7496BF-B35D-4627-AED4-7582B7C5F68E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On Feb 22, 2017, at 9:36 AM, Mark Andrews <marka@isc.org> = wrote:

DNS64 really should just be made historic. = It does not work with
DNSSEC. There has NEVER = been a NEED for NAT64 or DNS64. They
provides NO BENEFIT over other = methods. Every proported benefit
turns out not to = exist.

(A) = I find NAT64 to be a very convenient solution, and best of all it tests = IPv6 functionality in apps, so I know which apps will not work on a = v6-only network.

(B) DNS64 works _fine_ with DNSSEC = as long as you do the DNS64 translation _after you validate_.

= --Apple-Mail=_FE7496BF-B35D-4627-AED4-7582B7C5F68E-- From nobody Wed Feb 22 08:46:00 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8B4129484 for ; Wed, 22 Feb 2017 08:45:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEYcTsRh4Yvn for ; Wed, 22 Feb 2017 08:45:57 -0800 (PST) Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) by ietfa.amsl.com (Postfix) with ESMTP id 8621112940A for ; Wed, 22 Feb 2017 08:45:57 -0800 (PST) Received: from stereo.hq.phicoh.net ([::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #127) id m1cga39-0000DKC; Wed, 22 Feb 2017 17:45:55 +0100 Message-Id: To: sunset4@ietf.org From: Philip Homburg Sender: pch-bF054DD66@u-1.phicoh.com References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> In-reply-to: Your message of "Wed, 22 Feb 2017 16:19:40 +0000 ." Date: Wed, 22 Feb 2017 17:45:54 +0100 Archived-At: Cc: Ca By Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 16:45:59 -0000 >>From a network with 10s of millions of nat64 users and zero dnssec, I >disagree and suggest dnssec move to historic since it is a ddos attack >vector and provides no privacy element and generally weak cryto ... also it >has caused many wide scale outages for networks that have elected to use >it. With 2.5 million DNSSEC signed zones in just the nl TLD (45% of all zones in .nl) and Google's highly popular public resolvers performing DNSSEC validation, it is also safe to say that millions of people use DNSSEC daily without nat64. At least for me personally, I come across expired (or otherwise broken) certificates a lot more often than domains that fail DNSSEC validation. As for weak crypto, I'm not aware of a single serious (published and executed) attack on deployed DNSSEC. So it seems that both operationally and from a security point of view, DNSSEC is stricly better than TLS. By and large, the DNSSEC problems (and the IPv4 literal problems) can be solved by using 464xlat instead of DNS64. However, NAT64 is such a 'success' that at least one high profile content provider had to rush to roll out IPv6 because the deployed NAT64 was breaking their service. From nobody Wed Feb 22 09:08:14 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A13129A6F for ; Wed, 22 Feb 2017 09:08:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWy2dtDSNfBc for ; Wed, 22 Feb 2017 09:08:12 -0800 (PST) Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED4731299D6 for ; Wed, 22 Feb 2017 09:08:11 -0800 (PST) Received: by mail-qt0-x22a.google.com with SMTP id n21so7940457qta.1 for ; Wed, 22 Feb 2017 09:08:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=LJW7taayHN2z9w5MoSPthRrSnsyZuqmVC56SECSfr8A=; b=hbNLoMsBudaxxl2Lupxtcen4SCIT8QMSjGdYvxsL/CMAseSkPNirivW7qP/TxUDEvn WUupfrwrOXNAmGUNq9gVur1VtFweBIafw5i8bOQAGLGZhP9Fsky9HCf3lQI5i0QNBul/ jGhq0B7vT3x2XKE66IVweB010cNRaq1zTfkQEUXVCUgyVgcNJHf99m5pFfOUbuYH6wIm C4vfh3667j4T8dLdtiXs8RSWIC6+pkCgdqBcM5oHaHv6vbHmf0z5rBu0gEzMPhfHMk9M 5xK/9/gMLoBPV9TAxxC/WXs2eoa69HLzD0vXLLzp86qt9sfllUkHJ9ILiDtDlQZnQ4tc N0nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=LJW7taayHN2z9w5MoSPthRrSnsyZuqmVC56SECSfr8A=; b=JzvD2eGuqp7kXjzABktsegX4ED99jTNG4OdEs7uQq9U5oNaNAdyLw6oyRZ4svlkzo7 Jz8wafFH71iGqt0dpCd96RfaCjeHDrqZZbVoqJrH816bA54Weoaup+9EYwWGFmWs+Vms GKwBsKnNbZyfBgqPgdgG50fMlGUS3jOCFsQvLHTf1L4uEBxbP1BwhuVxLWmNtqzcf/El cGhLiCogVTe7VDv30XbugLQ+jMLcgZQ28ymrBDSHS0Oce7jI0KdL5JiGnEmKpSOm61sl cC7dXXzccEe6EHpKTRcNv6TRjK1OsunwDAhS98mqPGAhOuhSwoZprLGnNYTYW4D5mxFp gVMw== X-Gm-Message-State: AMke39mqB87XLnlmtpqo+GX+HUwlyob6Nz3Zw1KYpLaIxVpiwIFQke/Qj20vNClodml3Hg== X-Received: by 10.200.35.124 with SMTP id b57mr33373197qtb.147.1487783290749; Wed, 22 Feb 2017 09:08:10 -0800 (PST) Received: from [192.168.1.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id i125sm1017987qkf.52.2017.02.22.09.08.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 09:08:09 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_9C9FCC8F-20C3-46AC-955E-0B0CFEA95FCD" Mime-Version: 1.0 (Mac OS X Mail 10.2 $3259$) Date: Wed, 22 Feb 2017 12:08:07 -0500 In-Reply-To: To: Philip Homburg References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org>

X-Mailer: Apple Mail (2.3259) Archived-At: Cc: Ca By , sunset4@ietf.org Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 17:08:13 -0000 --Apple-Mail=_9C9FCC8F-20C3-46AC-955E-0B0CFEA95FCD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 22, 2017, at 11:45 AM, Philip Homburg = wrote: > However, NAT64 is such a 'success' that at least one high profile = content > provider had to rush to roll out IPv6 because the deployed NAT64 was > breaking their service. And that, right there, completely justifies all the work that went into = the NAT64 process. :) --Apple-Mail=_9C9FCC8F-20C3-46AC-955E-0B0CFEA95FCD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On Feb 22, 2017, at 11:45 AM, Philip Homburg <pch-sunset4@u-1.phicoh.com> wrote:

However, NAT64 is = such a 'success' that at least one high profile content
provider had to rush to roll out IPv6 because = the deployed NAT64 was
breaking their = service.

And= that, right there, completely justifies all the work that went into the = NAT64 process. :)

= --Apple-Mail=_9C9FCC8F-20C3-46AC-955E-0B0CFEA95FCD-- From nobody Wed Feb 22 10:19:12 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A8991296B4 for ; Wed, 22 Feb 2017 10:19:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRoSvSrTJi2q for ; Wed, 22 Feb 2017 10:19:10 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4391B12967C for ; Wed, 22 Feb 2017 10:19:10 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 1CC1DE1D3; Wed, 22 Feb 2017 13:41:03 -0500 (EST) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E6130636BB; Wed, 22 Feb 2017 13:19:08 -0500 (EST) From: Michael Richardson To: "Heatley\, Nick" In-Reply-To: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Cc: "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 18:19:11 -0000 --=-=-= Content-Type: text/plain Heatley, Nick wrote: > Or do end hosts need to perform DNS64 so DNSSEC for A records only > can be intact? This is my take as being the only reasonable solution. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlit1hwACgkQgItw+93Q 3WWuMwgAqIw6v0FG+ZFGzjECASh9ks1yN50gCwhmyLk6qLEzwsXilMs47a/QFzqZ pB6GKHpuycPzDKMIJO0WjVoZXKWoXkZMbSGT6AluvZyGhqvW2zUOv5/YJruoUzUq q2+2r7wtB75cppOYRJ7Q0ISlLrOlRNufxwrkpAqcYd72Ddu/hw/BPHf6fxiU+76W 1eEw8d/+2/4DBLwvKGFO+8yEcEhnPm2E265GlYT/9feOs2CHtup/NfkMZrV7XlUE evxvyfdE3/kp0vP4Q9ZeAuSF9xUoLfAQSYQXXqEdBtbisEiuqU92kJbEKEgGW96s wvfFz32vfRq6pvLKBvaqdq3udujvgQ== =WBgE -----END PGP SIGNATURE----- --=-=-=-- From nobody Wed Feb 22 13:03:18 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4E2129B41 for ; Wed, 22 Feb 2017 13:03:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.902 X-Spam-Level: X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQbNcoPA0Zcp for ; Wed, 22 Feb 2017 13:03:15 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276C2129AAA for ; Wed, 22 Feb 2017 13:03:15 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BEA863494FE; Wed, 22 Feb 2017 21:03:11 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A3A91160048; Wed, 22 Feb 2017 21:03:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9126716006D; Wed, 22 Feb 2017 21:03:11 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dR40f4WGH3sU; Wed, 22 Feb 2017 21:03:11 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C3998160048; Wed, 22 Feb 2017 21:03:10 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 97EB36455CD0; Thu, 23 Feb 2017 08:03:05 +1100 (EST) To: "Marc Blanchet" From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> In-reply-to: Your message of "Wed, 22 Feb 2017 10:00:30 -0500." <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> Date: Thu, 23 Feb 2017 08:03:05 +1100 Message-Id: <20170222210305.97EB36455CD0@rock.dv.isc.org> Archived-At: Cc: "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 21:03:16 -0000 In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc Blanchet" writes: > On 22 Feb 2017, at 9:36, Mark Andrews wrote: > > > In message , Ted Lemon > > writes: > >> > >> Nick, the solution to this is to do DNS64 in the validator. If the > >> validator is a stub resolver, do the DNS64 hack there. AFAIK the > >> technology to support this already exists. > > > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > > > Go do the comparitive analysis. > > I respectfully disagree. dual-stack incur many additional costs > operationally. deploying v6only infrastructure is more cost effective, > specially over the long run. nowadays, statistics show that a large > amount of trafic could be carried over IPv6, which means then that you > « just » need to care about the tail of the IPv4-only destinations, > which is where nat64/dns64 comes. But I guess you know all this. Stop with the knee jerk reactions. What gave you the idea that I wasn't talking about IPv6-only networks? So use DS-LITE in HOST MODE. The only DS with that is in the host which you cannot avoid if you are using IPv4 literals or is that too much dual stack. A little bit inside the node with a fixed IPv4 address. No routing. No address assignments. As I said NAT64/DNS64 does not provide any benefits that are not available via other IPv4 as a service mechanisms with the added benefit that you don't have to teach applications / OS stack about DNS64 prefix discovery to deal with IPv6 literals. For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator in the DNS path needs to be taught how to do DNS64 prefix discovery and therefor that it need to lie about AAAA results whether or not they are going to be used for a IPv6 connection or not. Mark > Marc. > > > > >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick > >> wrote: > >>> > >>> Post exhaustion, the majority of cellular networks and some public > >>> wifi > >> networks will use DNS64. > >>> DNSSEC and DNS64 do not get along. DNSSEC for “A records only” > >>> is > >> broken. > >>> Is this the reason why all content must go v6? > >>> Or is the case for DNSSEC still questionable? > >>> Or do end hosts need to perform DNS64 so “DNSSEC for A records > >>> only” > >> can be intact? > >>> > >>> NOTICE AND DISCLAIMER > >>> This email contains BT information, which may be privileged or > >> confidential. It's meant only for the individual(s) or entity named > >> above. > >>> If you're not the intended recipient, note that disclosing, copying, > >> distributing or using this information is prohibited. > >>> If you've received this email in error, please let me know > >>> immediately > >> on the email address above. Thank you. > >>> > >>> We monitor our email system, and may record your emails. > >>> > >>> EE Limited > >>> Registered office:Trident Place, Mosquito Way, Hatfield, > >>> Hertfordshire, > >> AL10 9BW > >>> Registered in England no: 02382161 > >>> > >>> EE Limited is a wholly owned subsidiary of: > >>> > >>> British Telecommunications plc > >>> Registered office: 81 Newgate Street London EC1A 7AJ > >>> Registered in England no: 1800000 > >>> > >>> _______________________________________________ > >>> sunset4 mailing list > >>> sunset4@ietf.org > >>> https://www.ietf.org/mailman/listinfo/sunset4 > >> > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 22 13:14:58 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FB0129B61 for ; Wed, 22 Feb 2017 13:14:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.902 X-Spam-Level: X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xPOl5YkJbmhe for ; Wed, 22 Feb 2017 13:14:55 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 455F1129B50 for ; Wed, 22 Feb 2017 13:14:55 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 03309349422; Wed, 22 Feb 2017 21:14:52 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DB497160048; Wed, 22 Feb 2017 21:14:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B654F16006D; Wed, 22 Feb 2017 21:14:51 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JMsakJRCmovm; Wed, 22 Feb 2017 21:14:51 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 951C1160048; Wed, 22 Feb 2017 21:14:50 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 04FD06455DBF; Thu, 23 Feb 2017 08:14:47 +1100 (EST) To: Ca By From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> In-reply-to: Your message of "Wed, 22 Feb 2017 16:19:40 -0000." Date: Thu, 23 Feb 2017 08:14:46 +1100 Message-Id: <20170222211447.04FD06455DBF@rock.dv.isc.org> Archived-At: Cc: "Heatley, Nick" , Ted Lemon , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 21:14:57 -0000 In message , Ca By writes: > --f403045f4faec156e8054920dd00 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > On Wed, Feb 22, 2017 at 6:36 AM Mark Andrews wrote: > > > > > In message , Ted Lemon > > writes: > > > > > > Nick, the solution to this is to do DNS64 in the validator. If the > > > validator is a stub resolver, do the DNS64 hack there. AFAIK the > > > technology to support this already exists. > > > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > > > Go do the comparitive analysis. > > > From a network with 10s of millions of nat64 users and zero dnssec, I > disagree and suggest dnssec move to historic since it is a ddos attack > vector and provides no privacy element and generally weak cryto ... also it > has caused many wide scale outages for networks that have elected to use > it. Well I was meaning to compare with other IPv4 as a service solutions but if you want to go here. DNSSEC issues are really no worse that any other DNS delegation misconfigurations that happen. Have you actually run behind a valdating DNSSEC resolver or are you looking in from the outside. DNSSEC really isn't that hard to do right. I've actually been running behind DNSSEC validating resolvers for a decade now using DNS data that is signed all the way down. Mark > > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick > > > wrote: > > > > > > > > Post exhaustion, the majority of cellular networks and some public wi= > fi > > > networks will use DNS64. > > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only= > =E2=80=9D is > > > broken. > > > > Is this the reason why all content must go v6? > > > > Or is the case for DNSSEC still questionable? > > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A record= > s only=E2=80=9D > > > can be intact? > > > > > > > > NOTICE AND DISCLAIMER > > > > This email contains BT information, which may be privileged or > > > confidential. It's meant only for the individual(s) or entity named > > > above. > > > > If you're not the intended recipient, note that disclosing, copying, > > > distributing or using this information is prohibited. > > > > If you've received this email in error, please let me know immediatel= > y > > > on the email address above. Thank you. > > > > > > > > We monitor our email system, and may record your emails. > > > > > > > > EE Limited > > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshir= > e, > > > AL10 9BW > > > > Registered in England no: 02382161 > > > > > > > > EE Limited is a wholly owned subsidiary of: > > > > > > > > British Telecommunications plc > > > > Registered office: 81 Newgate Street London EC1A 7AJ > > > > Registered in England no: 1800000 > > > > > > > > _______________________________________________ > > > > sunset4 mailing list > > > > sunset4@ietf.org > > > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > _______________________________________________ > > sunset4 mailing list > > sunset4@ietf.org > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > --f403045f4faec156e8054920dd00 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > >

On Wed, Feb 22, 2017 at 6:36 AM Ma= > rk Andrews <marka@isc.org> wrote= > :

der-left:1px #ccc solid;padding-left:1ex">
> In message < .com" class=3D"gmail_msg" target=3D"_blank">B5E8C545-55B9-4ECB-B0C8-C3EEFEE= > CD320@fugue.com>, Ted Lemon writes:
> >
> > Nick, the solution to this is to do DNS64 in the validator.=C2=A0 =C2= > =A0If the
> > validator is a stub resolver, do the DNS64 hack there.=C2=A0 =C2=A0AFA= > IK the
> > technology to support this already exists.
>
> DNS64 really should just be made historic.=C2=A0 It does not work with
lass=3D"gmail_msg"> > DNSSEC.=C2=A0 There has NEVER been a NEED for NAT64 or DNS64.=C2=A0 They class=3D"gmail_msg"> > provides NO BENEFIT over other methods.=C2=A0 Every proported benefit
ass=3D"gmail_msg"> > turns out not to exist.
>
> Go do the comparitive analysis.

From a netw= > ork with 10s of millions of nat64 users and zero dnssec, I disagree and sug= > gest dnssec move to historic since it is a ddos attack vector and provides = > no privacy element and generally weak cryto ... also it has caused many wid= > e scale outages for networks that have elected to use it.=C2=A0

<= > br>

0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
sg"> >
> > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick < nick.heatley@ee.co.uk" class=3D"gmail_msg" target=3D"_blank">nick.heatley@e= > e.co.uk>
> > wrote:
> > >
> > > Post exhaustion, the majority of cellular networks and some publi= > c wifi
> > networks will use DNS64.
> > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = > only=E2=80=9D is
> > broken.
> > > Is this the reason why all content must go v6?
msg"> > > > Or is the case for DNSSEC still questionable?
sg"> > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A re= > cords only=E2=80=9D
> > can be intact?
> > >
> > > NOTICE AND DISCLAIMER
> > > This email contains BT information, which may be privileged or class=3D"gmail_msg"> > > confidential. It's meant only for the individual(s) or entity name= > d
> > above.
> > > If you're not the intended recipient, note that disclosing, c= > opying,
> > distributing or using this information is prohibited.
l_msg"> > > > If you've received this email in error, please let me know im= > mediately
> > on the email address above. Thank you.
> > >
> > > We monitor our email system, and may record your emails.
=3D"gmail_msg"> > > >
> > > EE Limited
> > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertford= > shire,
> > AL10 9BW
> > > Registered in England no: 02382161
> > >
> > > EE Limited is a wholly owned subsidiary of:
"> > > >
> > > British Telecommunications plc
> > > Registered office: 81 Newgate Street London EC1A 7AJ
gmail_msg"> > > > Registered in England no: 1800000
> > >
> > > _______________________________________________
_msg"> > > > sunset4 mailing list
> > > "_blank">sunset4@ietf.org <mailto: " class=3D"gmail_msg" target=3D"_blank">sunset4@ietf.org>
=3D"gmail_msg"> > > > noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mail= > man/listinfo/sunset4
> > < oreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailm= > an/listinfo/sunset4>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > =A0 =C2=A0INTERNET: rget=3D"_blank">marka@isc.org
>
> _______________________________________________
> sunset4 mailing list
> s= > unset4@ietf.org
> " class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listin= > fo/sunset4
>

> > --f403045f4faec156e8054920dd00-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 22 13:21:31 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EB5129B5A for ; Wed, 22 Feb 2017 13:21:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.902 X-Spam-Level: X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owI5cazBUppR for ; Wed, 22 Feb 2017 13:21:29 -0800 (PST) Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED924129B55 for ; Wed, 22 Feb 2017 13:21:28 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 911E324AE08; Wed, 22 Feb 2017 21:20:09 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6ECA816006E; Wed, 22 Feb 2017 21:20:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5812916006D; Wed, 22 Feb 2017 21:20:08 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rlwkKPEREtz8; Wed, 22 Feb 2017 21:20:08 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id D4D6F160048; Wed, 22 Feb 2017 21:20:07 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 9F5E46455E2A; Thu, 23 Feb 2017 08:20:04 +1100 (EST) To: Ted Lemon From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> In-reply-to: Your message of "Wed, 22 Feb 2017 11:35:26 -0500." Date: Thu, 23 Feb 2017 08:20:04 +1100 Message-Id: <20170222212004.9F5E46455E2A@rock.dv.isc.org> Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 21:21:30 -0000 In message , Ted Lemon writes: > > On Feb 22, 2017, at 9:36 AM, Mark Andrews wrote: > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > (A) I find NAT64 to be a very convenient solution, and best of all it = > tests IPv6 functionality in apps, so I know which apps will not work on = > a v6-only network. > (B) DNS64 works _fine_ with DNSSEC as long as you do the DNS64 = > translation _after you validate_. And have managed to update EVERY DNSSEC validator in the DNS path from the DNS64 server to the final DNSSEC validator to do DNS64 prefix discovery and that you are willing to forego any other use of AAAA records other than to lookup host addresses. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 22 13:23:54 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1947129B70 for ; Wed, 22 Feb 2017 13:23:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kj8d9hSvyc_1 for ; Wed, 22 Feb 2017 13:23:51 -0800 (PST) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FA9129B6E for ; Wed, 22 Feb 2017 13:23:51 -0800 (PST) Received: by mail-qk0-x22b.google.com with SMTP id x71so15374844qkb.3 for ; Wed, 22 Feb 2017 13:23:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=X+CqmyYspBd8yc+EOwGd1qusvyqfM88XzpdKfojlJO4=; b=nwKqfbEu6IjFSSRg24byT8Z3RZyktVV4rvQeKluCZXfviOPSMU0GeK7VII9v7moo2T QOWT+Ve009jWTQoqFwN2wDZ8KJBmxwCl5pEnF8eKFmjEBe5eIhuwM5ltwxjEb8BbVgy3 yjtFjIzpsvMtzaYrlW60THFKpe2H5GdLZFDXBX3SGeoTO/1qhTola2bEmioax3Qj3U4D 1kMXdzB1IctX1cnvmmaXPhlvyu0oJcByLgSSRObCwc9hb0cIvZ8HwzzvWtlX59Ir7twh flWdlLEJvqmdxA4SNPftae/hu3JZi05m8hjCnMRIJGmPI4hmjshKvJJKjkYGt3YIg6kx TjbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=X+CqmyYspBd8yc+EOwGd1qusvyqfM88XzpdKfojlJO4=; b=aCVRSV5FNVMUQCeYXxBRL270gJDgYv1bJR6jVb5j4yWiyjksDCHScHqUt9NNyHalIU igJk+NygYpiL4eEQZ2wSn1bue10jR57QI9lFrqFeEZWkGJzaHnGgHHaHgTTNqETO81cs Lq/acc99n8LsHAY6x0etlzHfOO4kNVndl4elVN+IIRFxvsoKdI3b99Vx+Uo3vDQfh+KH Hh/8YD0RtbcDjssJHZTBbiMFVAqSbFotbnNrWCfAiQSZiAwwiNVWjRcgyngoOrhQdDKl ZvaXDALvYFpPG1Io2YEr2fA7VbcXiKD5HWyTXHYDVzAXStaKw+7HbgEpX5WhKKb8Kdyk IChA== X-Gm-Message-State: AMke39nvmhDr1JP6oDEWsD2g+73D/aESMj/8ByCr5FkinaH38L9pkOdT7SAQyPt8O4eMOA== X-Received: by 10.55.88.66 with SMTP id m63mr34609470qkb.270.1487798630346; Wed, 22 Feb 2017 13:23:50 -0800 (PST) Received: from [192.168.1.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id 45sm1454045qts.40.2017.02.22.13.23.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Feb 2017 13:23:49 -0800 (PST) From: Ted Lemon Message-Id: <6645ABEB-D7FD-4FDC-ACF8-332EB230BCB4@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_1C986E76-CD55-4CE4-8AD1-8676639431C4" Mime-Version: 1.0 (Mac OS X Mail 10.2 $3259$) Date: Wed, 22 Feb 2017 16:23:47 -0500 In-Reply-To: <20170222212004.9F5E46455E2A@rock.dv.isc.org> To: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> <20170222212004.9F5E46455E2A@rock.dv.isc.org> X-Mailer: Apple Mail (2.3259) Archived-At: Cc: "Heatley, Nick" , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Feb 2017 21:23:53 -0000 --Apple-Mail=_1C986E76-CD55-4CE4-8AD1-8676639431C4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 22, 2017, at 4:20 PM, Mark Andrews wrote: > And have managed to update EVERY DNSSEC validator in the DNS path > from the DNS64 server to the final DNSSEC validator to do DNS64 > prefix discovery and that you are willing to forego any other use > of AAAA records other than to lookup host addresses. Given that the number of such validators is typically zero, this isn't a = particularly daunting task. --Apple-Mail=_1C986E76-CD55-4CE4-8AD1-8676639431C4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On Feb 22, 2017, at 4:20 PM, Mark Andrews <marka@isc.org> = wrote:

And have managed to update EVERY DNSSEC = validator in the DNS path
from the DNS64 server to the final DNSSEC = validator to do DNS64
prefix discovery and that you are willing = to forego any other use
of AAAA records other than to lookup host = addresses.

Given that the number of such validators is typically zero, = this isn't a particularly daunting task.

= --Apple-Mail=_1C986E76-CD55-4CE4-8AD1-8676639431C4-- From nobody Thu Feb 23 02:53:36 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E951294B2 for ; Thu, 23 Feb 2017 02:53:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.087 X-Spam-Level: X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crIWY09l39lo for ; Thu, 23 Feb 2017 02:53:34 -0800 (PST) Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [193.109.254.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27F71129480 for ; Thu, 23 Feb 2017 02:53:33 -0800 (PST) Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id 54/48-24539-C2FBEA85; Thu, 23 Feb 2017 10:53:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRWlGSWpSXmKPExsUy9d9HH13t/es iDCYt17HoWrGH2eLKi/ssFiv37Gd3YPZYsuQnk8eDx++YPdZ9MA9gjmLNzEvKr0hgzfi8ZBZT wTGLipWtl5gaGF+YdzFycQgJbGGUeLKghQXCOcAosanlFTOEc4pR4vC3eYxdjJwcbAK6Eu2zV jGD2CIC3hLPTjWxgtjMApoSDR0XmEBsYQENiXe7jwHZHEA1mhLTP3pClPtJPDu0HmwMi4CqxJ IP38BsXoFQiY3Xd0EtnskksenTO7D5nAJWEsd2PmUHsRkFZCW+NK5mhtglLnHryXywXRICAhJ L9pxnhrBFJV4+/scKYStIXFrUxQpyA8ht63fpQ7QqSkzpfsgOsVdQ4uTMJywTGEVnIZk6C6Fj FpKOWUg6FjCyrGLUKE4tKkst0jU00EsqykzPKMlNzMwB8sz0clOLixPTU3MSk4r1kvNzNzECo 4oBCHYw3lsWcIhRkoNJSZTXZ8+6CCG+pPyUyozE4oz4otKc1OJDjDIcHEoSvP77gHKCRanpqR VpmTnA+IZJS3DwKInwmoCkeYsLEnOLM9MhUqcYdTmObD7yhkmIJS8/L1VKnDcapEgApCijNA9 uBCzVXGKUlRLmZQQ6SoinILUoN7MEVf4VozgHo5Iw75G9QFN4MvNK4Da9AjqCCegIS+e1IEeU JCKkpBoYV7KXF1106Y/f8qFtVfQu5epb4jNezC1Jd3276NueggmGZ753JYdULj4he7Hq8HGDF J75t89J7V04sXKNLc/fd0bvAxjzb23kb/AK0l6pe+zlZt/sqxynj22IP1byxvy8VenaZJXeqe av7/ismtj48cC2aWsfFFVek3RV3HWjXTtFe/dk85XOLUosxRmJhlrMRcWJAN5ho78wAwAA X-Env-Sender: nick.heatley@ee.co.uk X-Msg-Ref: server-15.tower-27.messagelabs.com!1487847211!35633879!1 X-Originating-IP: [149.254.241.76] X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 55454 invoked from network); 23 Feb 2017 10:53:31 -0000 Received: from unknown (HELO smtpml01.ee.co.uk) (149.254.241.76) by server-15.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 23 Feb 2017 10:53:31 -0000 Received: from EEUKWV0941.EEAD.EEINT.CO.UK (Not Verified[10.246.209.218]) by smtpml01.ee.co.uk with Trustwave SEG (v7, 5, 6, 8438) id ; Thu, 23 Feb 2017 10:53:25 +0000 Received: from UK31S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.27]) by EEUKWV0941.EEAD.EEINT.CO.UK with Trustwave SEG (v7, 3, 6, 7949) id ; Thu, 23 Feb 2017 10:53:30 +0000 Received: from UK30S005EXS06.EEAD.EEINT.CO.UK ([fe80::314c:b96c:4a9a:8a79]) by UK31S005EXS02.EEAD.EEINT.CO.UK ([2002:1ef6:d01b::1ef6:d01b]) with mapi id 14.03.0279.002; Thu, 23 Feb 2017 10:53:30 +0000 From: "Heatley, Nick" To: Mark Andrews , Marc Blanchet Thread-Topic: [sunset4] future of dnssec? Thread-Index: AdKNBnRIe2inw1ZcRtC42Vzko3pn/gADhDcAAAEj9/oAANTjAAAMrNV3ABzaT4A= Date: Thu, 23 Feb 2017 10:53:30 +0000 Message-ID: <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK> References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> <20170222210305.97EB36455CD0@rock.dv.isc.org> In-Reply-To: <20170222210305.97EB36455CD0@rock.dv.isc.org> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.246.208.5] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 10:53:36 -0000 U29tZSBuZXR3b3JrcyBkbyBub3Qgd29yayBzdWNjZXNzZnVsbHkgd2l0aCB0aGUgYWRkaXRpb25h bCBlbmNhcHN1bGF0aW9uLg0KTW9iaWxlIG5ldHdvcmtzIGFyZSB0aGUgY2FzZSBpbiBwb2ludC4N ClNvIHRoZSB0cmFuc2xhdGlvbiB0ZWNoIHJpZ2h0ZnVsbHkgZXhpc3RzLg0KDQoNCi0tLS0tT3Jp Z2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBzdW5zZXQ0IFttYWlsdG86c3Vuc2V0NC1ib3VuY2Vz QGlldGYub3JnXSBPbiBCZWhhbGYgT2YgTWFyayBBbmRyZXdzDQpTZW50OiAyMiBGZWJydWFyeSAy MDE3IDIxOjAzDQpUbzogTWFyYyBCbGFuY2hldA0KQ2M6IHN1bnNldDRAaWV0Zi5vcmcNClN1Ympl Y3Q6IFJlOiBbc3Vuc2V0NF0gZnV0dXJlIG9mIGRuc3NlYz8NCg0KDQpJbiBtZXNzYWdlIDw4QzJE QzVEQi04OENBLTQ1NDEtQkU1MC1DMjMwODhGNzc4NjdAdmlhZ2VuaWUuY2E+LCAiTWFyYyBCbGFu Y2hldCIgDQp3cml0ZXM6DQo+IE9uIDIyIEZlYiAyMDE3LCBhdCA5OjM2LCBNYXJrIEFuZHJld3Mg d3JvdGU6DQo+IA0KPiA+IEluIG1lc3NhZ2UgPEI1RThDNTQ1LTU1QjktNEVDQi1CMEM4LUMzRUVG RUVDRDMyMEBmdWd1ZS5jb20+LCBUZWQgDQo+ID4gTGVtb24NCj4gPiB3cml0ZXM6DQo+ID4+DQo+ ID4+IE5pY2ssIHRoZSBzb2x1dGlvbiB0byB0aGlzIGlzIHRvIGRvIEROUzY0IGluIHRoZSB2YWxp ZGF0b3IuICAgSWYgdGhlDQo+ID4+IHZhbGlkYXRvciBpcyBhIHN0dWIgcmVzb2x2ZXIsIGRvIHRo ZSBETlM2NCBoYWNrIHRoZXJlLiAgIEFGQUlLIHRoZQ0KPiA+PiB0ZWNobm9sb2d5IHRvIHN1cHBv cnQgdGhpcyBhbHJlYWR5IGV4aXN0cy4NCj4gPg0KPiA+IEROUzY0IHJlYWxseSBzaG91bGQganVz dCBiZSBtYWRlIGhpc3RvcmljLiAgSXQgZG9lcyBub3Qgd29yayB3aXRoIA0KPiA+IEROU1NFQy4g IFRoZXJlIGhhcyBORVZFUiBiZWVuIGEgTkVFRCBmb3IgTkFUNjQgb3IgRE5TNjQuICBUaGV5IA0K PiA+IHByb3ZpZGVzIE5PIEJFTkVGSVQgb3ZlciBvdGhlciBtZXRob2RzLiAgRXZlcnkgcHJvcG9y dGVkIGJlbmVmaXQgDQo+ID4gdHVybnMgb3V0IG5vdCB0byBleGlzdC4NCj4gPg0KPiA+IEdvIGRv IHRoZSBjb21wYXJpdGl2ZSBhbmFseXNpcy4NCj4gDQo+IEkgcmVzcGVjdGZ1bGx5IGRpc2FncmVl LiBkdWFsLXN0YWNrIGluY3VyIG1hbnkgYWRkaXRpb25hbCBjb3N0cyANCj4gb3BlcmF0aW9uYWxs eS4gZGVwbG95aW5nIHY2b25seSBpbmZyYXN0cnVjdHVyZSBpcyBtb3JlIGNvc3QgZWZmZWN0aXZl LCANCj4gc3BlY2lhbGx5IG92ZXIgdGhlIGxvbmcgcnVuLiBub3dhZGF5cywgc3RhdGlzdGljcyBz aG93IHRoYXQgYSBsYXJnZSANCj4gYW1vdW50IG9mIHRyYWZpYyBjb3VsZCBiZSBjYXJyaWVkIG92 ZXIgSVB2Niwgd2hpY2ggbWVhbnMgdGhlbiB0aGF0IHlvdSANCj4gwqvCoGp1c3TCoMK7IG5lZWQg dG8gY2FyZSBhYm91dCB0aGUgdGFpbCBvZiB0aGUgSVB2NC1vbmx5IGRlc3RpbmF0aW9ucywgDQo+ IHdoaWNoIGlzIHdoZXJlIG5hdDY0L2RuczY0IGNvbWVzLiBCdXQgSSBndWVzcyB5b3Uga25vdyBh bGwgdGhpcy4NCg0KU3RvcCB3aXRoIHRoZSBrbmVlIGplcmsgcmVhY3Rpb25zLiAgV2hhdCBnYXZl IHlvdSB0aGUgaWRlYSB0aGF0IEkgd2Fzbid0IHRhbGtpbmcgYWJvdXQgSVB2Ni1vbmx5IG5ldHdv cmtzPw0KDQpTbyB1c2UgRFMtTElURSBpbiBIT1NUIE1PREUuICBUaGUgb25seSBEUyB3aXRoIHRo YXQgaXMgaW4gdGhlIGhvc3Qgd2hpY2ggeW91IGNhbm5vdCBhdm9pZCBpZiB5b3UgYXJlIHVzaW5n IElQdjQgbGl0ZXJhbHMgb3IgaXMgdGhhdCB0b28gbXVjaCBkdWFsIHN0YWNrLiAgQSBsaXR0bGUg Yml0IGluc2lkZSB0aGUgbm9kZSB3aXRoIGEgZml4ZWQNCklQdjQgYWRkcmVzcy4gIE5vIHJvdXRp bmcuICBObyBhZGRyZXNzIGFzc2lnbm1lbnRzLg0KDQpBcyBJIHNhaWQgTkFUNjQvRE5TNjQgZG9l cyBub3QgcHJvdmlkZSBhbnkgYmVuZWZpdHMgdGhhdCBhcmUgbm90IGF2YWlsYWJsZSB2aWEgb3Ro ZXIgSVB2NCBhcyBhIHNlcnZpY2UgbWVjaGFuaXNtcyB3aXRoIHRoZSBhZGRlZCBiZW5lZml0IHRo YXQgeW91IGRvbid0IGhhdmUgdG8gdGVhY2ggYXBwbGljYXRpb25zIC8gT1Mgc3RhY2sgYWJvdXQN CkROUzY0IHByZWZpeCBkaXNjb3ZlcnkgdG8gZGVhbCB3aXRoIElQdjYgbGl0ZXJhbHMuDQoNCkZv ciBOQVQ2NC9ETlM2NCBhbmQgNDY0WExBVCBpbiB0aGUgaG9zdCAqZXZlcnkqIEROU1NFQyB2YWxp ZGF0b3IgaW4gdGhlIEROUyBwYXRoIG5lZWRzIHRvIGJlIHRhdWdodCBob3cgdG8gZG8gRE5TNjQg cHJlZml4IGRpc2NvdmVyeSBhbmQgdGhlcmVmb3IgdGhhdCBpdCBuZWVkIHRvIGxpZSBhYm91dCBB QUFBIHJlc3VsdHMgd2hldGhlciBvciBub3QgdGhleSBhcmUgZ29pbmcgdG8gYmUgdXNlZCBmb3Ig YSBJUHY2IGNvbm5lY3Rpb24gb3Igbm90Lg0KDQpNYXJrDQoNCj4gTWFyYy4NCj4gDQo+ID4NCj4g Pj4+IE9uIEZlYiAyMiwgMjAxNywgYXQgNzoyMyBBTSwgSGVhdGxleSwgTmljayA8bmljay5oZWF0 bGV5QGVlLmNvLnVrPg0KPiA+PiB3cm90ZToNCj4gPj4+DQo+ID4+PiBQb3N0IGV4aGF1c3Rpb24s IHRoZSBtYWpvcml0eSBvZiBjZWxsdWxhciBuZXR3b3JrcyBhbmQgc29tZSBwdWJsaWMgDQo+ID4+ PiB3aWZpDQo+ID4+IG5ldHdvcmtzIHdpbGwgdXNlIEROUzY0Lg0KPiA+Pj4gRE5TU0VDIGFuZCBE TlM2NCBkbyBub3QgZ2V0IGFsb25nLiBETlNTRUMgZm9yIOKAnEEgcmVjb3JkcyBvbmx54oCdIA0K PiA+Pj4gaXMNCj4gPj4gYnJva2VuLg0KPiA+Pj4gSXMgdGhpcyB0aGUgcmVhc29uIHdoeSBhbGwg Y29udGVudCBtdXN0IGdvIHY2Pw0KPiA+Pj4gT3IgaXMgdGhlIGNhc2UgZm9yIEROU1NFQyBzdGls bCBxdWVzdGlvbmFibGU/DQo+ID4+PiBPciBkbyBlbmQgaG9zdHMgbmVlZCB0byBwZXJmb3JtIERO UzY0IHNvIOKAnEROU1NFQyBmb3IgQSByZWNvcmRzIA0KPiA+Pj4gb25seeKAnQ0KPiA+PiBjYW4g YmUgaW50YWN0Pw0KPiA+Pj4NCj4gPj4+IE5PVElDRSBBTkQgRElTQ0xBSU1FUg0KPiA+Pj4gVGhp cyBlbWFpbCBjb250YWlucyBCVCBpbmZvcm1hdGlvbiwgd2hpY2ggbWF5IGJlIHByaXZpbGVnZWQg b3INCj4gPj4gY29uZmlkZW50aWFsLiBJdCdzIG1lYW50IG9ubHkgZm9yIHRoZSBpbmRpdmlkdWFs KHMpIG9yIGVudGl0eSBuYW1lZCANCj4gPj4gYWJvdmUuDQo+ID4+PiBJZiB5b3UncmUgbm90IHRo ZSBpbnRlbmRlZCByZWNpcGllbnQsIG5vdGUgdGhhdCBkaXNjbG9zaW5nLCANCj4gPj4+IGNvcHlp bmcsDQo+ID4+IGRpc3RyaWJ1dGluZyBvciB1c2luZyB0aGlzIGluZm9ybWF0aW9uIGlzIHByb2hp Yml0ZWQuDQo+ID4+PiBJZiB5b3UndmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxl YXNlIGxldCBtZSBrbm93IA0KPiA+Pj4gaW1tZWRpYXRlbHkNCj4gPj4gb24gdGhlIGVtYWlsIGFk ZHJlc3MgYWJvdmUuIFRoYW5rIHlvdS4NCj4gPj4+DQo+ID4+PiBXZSBtb25pdG9yIG91ciBlbWFp bCBzeXN0ZW0sIGFuZCBtYXkgcmVjb3JkIHlvdXIgZW1haWxzLg0KPiA+Pj4NCj4gPj4+IEVFIExp bWl0ZWQNCj4gPj4+IFJlZ2lzdGVyZWQgb2ZmaWNlOlRyaWRlbnQgUGxhY2UsIE1vc3F1aXRvIFdh eSwgSGF0ZmllbGQsIA0KPiA+Pj4gSGVydGZvcmRzaGlyZSwNCj4gPj4gQUwxMCA5QlcNCj4gPj4+ IFJlZ2lzdGVyZWQgaW4gRW5nbGFuZCBubzogMDIzODIxNjENCj4gPj4+DQo+ID4+PiBFRSBMaW1p dGVkIGlzIGEgd2hvbGx5IG93bmVkIHN1YnNpZGlhcnkgb2Y6DQo+ID4+Pg0KPiA+Pj4gQnJpdGlz aCBUZWxlY29tbXVuaWNhdGlvbnMgcGxjDQo+ID4+PiBSZWdpc3RlcmVkIG9mZmljZTogODEgTmV3 Z2F0ZSBTdHJlZXQgTG9uZG9uIEVDMUEgN0FKIFJlZ2lzdGVyZWQgaW4gDQo+ID4+PiBFbmdsYW5k IG5vOiAxODAwMDAwDQo+ID4+Pg0KPiA+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18NCj4gPj4+IHN1bnNldDQgbWFpbGluZyBsaXN0DQo+ID4+PiBzdW5z ZXQ0QGlldGYub3JnIDxtYWlsdG86c3Vuc2V0NEBpZXRmLm9yZz4NCj4gPj4+IGh0dHBzOi8vd3d3 LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Vuc2V0NA0KPiA+PiA8aHR0cHM6Ly93d3cuaWV0 Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zdW5zZXQ0Pg0KPiA+DQo+ID4gLS0NCj4gPiBNYXJrIEFu ZHJld3MsIElTQw0KPiA+IDEgU2V5bW91ciBTdC4sIER1bmRhcyBWYWxsZXksIE5TVyAyMTE3LCBB dXN0cmFsaWENCj4gPiBQSE9ORTogKzYxIDIgOTg3MSA0NzQyICAgICAgICAgICAgICAgICBJTlRF Uk5FVDogbWFya2FAaXNjLm9yZw0KPiA+DQo+ID4gX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCj4gPiBzdW5zZXQ0IG1haWxpbmcgbGlzdA0KPiA+IHN1bnNl dDRAaWV0Zi5vcmcNCj4gPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3N1 bnNldDQNCi0tDQpNYXJrIEFuZHJld3MsIElTQw0KMSBTZXltb3VyIFN0LiwgRHVuZGFzIFZhbGxl eSwgTlNXIDIxMTcsIEF1c3RyYWxpYQ0KUEhPTkU6ICs2MSAyIDk4NzEgNDc0MiAgICAgICAgICAg ICAgICAgSU5URVJORVQ6IG1hcmthQGlzYy5vcmcNCg0KDQpOT1RJQ0UgQU5EIERJU0NMQUlNRVIN ClRoaXMgZW1haWwgY29udGFpbnMgQlQgaW5mb3JtYXRpb24sIHdoaWNoIG1heSBiZSBwcml2aWxl Z2VkIG9yIGNvbmZpZGVudGlhbC4gSXQncyBtZWFudCBvbmx5IGZvciB0aGUgaW5kaXZpZHVhbChz KSBvciBlbnRpdHkgbmFtZWQgYWJvdmUuIA0KSWYgeW91J3JlIG5vdCB0aGUgaW50ZW5kZWQgcmVj aXBpZW50LCBub3RlIHRoYXQgZGlzY2xvc2luZywgY29weWluZywgZGlzdHJpYnV0aW5nIG9yIHVz aW5nIHRoaXMgaW5mb3JtYXRpb24gaXMgcHJvaGliaXRlZC4gDQpJZiB5b3UndmUgcmVjZWl2ZWQg dGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNlIGxldCBtZSBrbm93IGltbWVkaWF0ZWx5IG9uIHRo ZSBlbWFpbCBhZGRyZXNzIGFib3ZlLiBUaGFuayB5b3UuDQoNCldlIG1vbml0b3Igb3VyIGVtYWls IHN5c3RlbSwgYW5kIG1heSByZWNvcmQgeW91ciBlbWFpbHMuDQoNCkVFIExpbWl0ZWQgDQpSZWdp c3RlcmVkIG9mZmljZTpUcmlkZW50IFBsYWNlLCBNb3NxdWl0byBXYXksIEhhdGZpZWxkLCBIZXJ0 Zm9yZHNoaXJlLCBBTDEwIDlCVw0KUmVnaXN0ZXJlZCBpbiBFbmdsYW5kIG5vOiAwMjM4MjE2MQ0K DQpFRSBMaW1pdGVkIGlzIGEgd2hvbGx5IG93bmVkIHN1YnNpZGlhcnkgb2Y6DQoNCkJyaXRpc2gg VGVsZWNvbW11bmljYXRpb25zIHBsYw0KUmVnaXN0ZXJlZCBvZmZpY2U6IDgxIE5ld2dhdGUgU3Ry ZWV0IExvbmRvbiBFQzFBIDdBSg0KUmVnaXN0ZXJlZCBpbiBFbmdsYW5kIG5vOiAxODAwMDAwDQo= From nobody Thu Feb 23 05:07:04 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A38E12A1BC for ; Thu, 23 Feb 2017 05:07:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHKhKpWzAjUV for ; Thu, 23 Feb 2017 05:07:02 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6EE612A1B5 for ; Thu, 23 Feb 2017 05:07:02 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D2D723493ED; Thu, 23 Feb 2017 13:06:58 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A933416004F; Thu, 23 Feb 2017 13:06:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 90F3B160053; Thu, 23 Feb 2017 13:06:58 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Zs2-ZrmgHFQn; Thu, 23 Feb 2017 13:06:58 +0000 (UTC) Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A6FB716004F; Thu, 23 Feb 2017 13:06:57 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4D3A664684D7; Fri, 24 Feb 2017 00:06:52 +1100 (EST) To: "Heatley, Nick" From: Mark Andrews References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> <20170222210305.97EB36455CD0@rock.dv.isc.org> <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK> In-reply-to: Your message of "Thu, 23 Feb 2017 10:53:30 -0000." <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK> Date: Fri, 24 Feb 2017 00:06:52 +1100 Message-Id: <20170223130652.4D3A664684D7@rock.dv.isc.org> Archived-At: Cc: Marc Blanchet , "sunset4@ietf.org" Subject: Re: [sunset4] future of dnssec? X-BeenThere: sunset4@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: sunset4 working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 13:07:04 -0000 In message <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.C O.UK>, "Heatley, Nick" writes: > Some networks do not work successfully with the additional encapsulation. > Mobile networks are the case in point. > So the translation tech rightfully exists. 464XLAT is encapsulation with translation. It drops the IPv4 path MTU from 1500 to 1480. DS-Lite drops the IPv4 MTU to 1460. You can't avoid the issue with tethered equipement. For TCP connection initiatiate from the host you shouldn't be seeing PMTU issues with either 464XLAT or DS-Lite as both should be presenting iterface MTU that doesn't result in PTB's being generated by the teco's equipement. For 464XLAT the mss should be that of IPv6. For DS-Lite in the host mode the mss should be 20 bytes smaller. Or can't the phone manufactures actually do DS-Lite host mode properly if they were to try? Encapsulation in the connection initiating device is different to encapsulation in the middle of the path. You start out with a smaller MTU. Mark > -----Original Message----- > From: sunset4 mailto:sunset4-bounces@ietf.org On Behalf Of Mark Andrews > Sent: 22 February 2017 21:03 > To: Marc Blanchet > Cc: sunset4@ietf.org > Subject: Re: sunset4 future of dnssec? > > > In message <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca>, "Marc > Blanchet" > writes: > > On 22 Feb 2017, at 9:36, Mark Andrews wrote: > > > > > In message , Ted > > > Lemon > > > writes: > > >> > > >> Nick, the solution to this is to do DNS64 in the validator. If the > > >> validator is a stub resolver, do the DNS64 hack there. AFAIK the > > >> technology to support this already exists. > > > > > > DNS64 really should just be made historic. It does not work with > > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > > provides NO BENEFIT over other methods. Every proported benefit > > > turns out not to exist. > > > > > > Go do the comparitive analysis. > > > > I respectfully disagree. dual-stack incur many additional costs > > operationally. deploying v6only infrastructure is more cost effective, > > specially over the long run. nowadays, statistics show that a large > > amount of trafic could be carried over IPv6, which means then that you > > just need to care about the tail of the IPv4-only destinations, > > which is where nat64/dns64 comes. But I guess you know all this. > > Stop with the knee jerk reactions. What gave you the idea that I wasn't > talking about IPv6-only networks? > > So use DS-LITE in HOST MODE. The only DS with that is in the host which > you cannot avoid if you are using IPv4 literals or is that too much dual > stack. A little bit inside the node with a fixed > IPv4 address. No routing. No address assignments. > > As I said NAT64/DNS64 does not provide any benefits that are not > available via other IPv4 as a service mechanisms with the added benefit > that you don't have to teach applications / OS stack about > DNS64 prefix discovery to deal with IPv6 literals. > > For NAT64/DNS64 and 464XLAT in the host *every* DNSSEC validator in the > DNS path needs to be taught how to do DNS64 prefix discovery and therefor > that it need to lie about AAAA results whether or not they are going to > be used for a IPv6 connection or not. > > Mark > > > Marc. > > > > > > > >>> On Feb 22, 2017, at 7:23 AM, Heatley, Nick > > >> wrote: > > >>> > > >>> Post exhaustion, the majority of cellular networks and some public > > >>> wifi > > >> networks will use DNS64. > > >>> DNSSEC and DNS64 do not get along. DNSSEC for A records only > > >>> is > > >> broken. > > >>> Is this the reason why all content must go v6? > > >>> Or is the case for DNSSEC still questionable? > > >>> Or do end hosts need to perform DNS64 so DNSSEC for A records > > >>> only > > >> can be intact? > > >>> > > >>> NOTICE AND DISCLAIMER > > >>> This email contains BT information, which may be privileged or > > >> confidential. It's meant only for the individual(s) or entity named > > >> above. > > >>> If you're not the intended recipient, note that disclosing, > > >>> copying, > > >> distributing or using this information is prohibited. > > >>> If you've received this email in error, please let me know > > >>> immediately > > >> on the email address above. Thank you. > > >>> > > >>> We monitor our email system, and may record your emails. > > >>> > > >>> EE Limited > > >>> Registered office:Trident Place, Mosquito Way, Hatfield, > > >>> Hertfordshire, > > >> AL10 9BW > > >>> Registered in England no: 02382161 > > >>> > > >>> EE Limited is a wholly owned subsidiary of: > > >>> > > >>> British Telecommunications plc > > >>> Registered office: 81 Newgate Street London EC1A 7AJ Registered in > > >>> England no: 1800000 > > >>> > > >>> _______________________________________________ > > >>> sunset4 mailing list > > >>> sunset4@ietf.org > > >>> https://www.ietf.org/mailman/listinfo/sunset4 > > >> > > > > > > -- > > > Mark Andrews, ISC > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > > > _______________________________________________ > > > sunset4 mailing list > > > sunset4@ietf.org > > > https://www.ietf.org/mailman/listinfo/sunset4 > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or > confidential. It's meant only for the individual(s) or entity named > above. > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > If you've received this email in error, please let me know immediately on > the email address above. Thank you. > > We monitor our email system, and may record your emails. > > EE Limited > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, > AL10 9BW > Registered in England no: 02382161 > > EE Limited is a wholly owned subsidiary of: > > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 23 06:11:45 2017 Return-Path: X-Original-To: sunset4@ietfa.amsl.com Delivered-To: sunset4@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8AB2129868 for ; Thu, 23 Feb 2017 06:11:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.087 X-Spam-Level: X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGK1SHhuL9Xd for ; Thu, 23 Feb 2017 06:11:42 -0800 (PST) Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [193.109.254.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442E412985A for ; Thu, 23 Feb 2017 06:11:41 -0800 (PST) Received: from [193.109.254.147] by server-7.bemta-6.messagelabs.com id D0/04-24539-C9DEEA85; Thu, 23 Feb 2017 14:11:40 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRWlGSWpSXmKPExsUy9d9HH905b9d FGOxTsuhasYfZ4sqL+ywWK/fsZ3dg9liy5CeTx4PH75g91n0wD2COYs3MS8qvSGDNuHCysGCV YMXKt0/ZGxgP8HUxcnEICWxhlFg4eSUbhHOAUeJP01tWCOcEo8ScZ30sXYycHGwCuhLts1Yxg 9giAgoSbW9fMYHYzAKhEjvvTmUEsYUFNCTe7T4GFOcAqtGUmP7RE6I8SqLh8AewMSwCqhL7Nh 5jBbF5gVrnzJkC1iokMJlZ4vUVDRCbU8BK4vanG2BxRgFZiS+Nq5khVolL3HoyH2ythICAxJI 955khbFGJl4//sULYChKXFnWxQtTrSCzY/YkNwtaWWLbwNTPEXkGJkzOfsExgFJ2FZOwsJC2z kLTMQtKygJFlFaN6cWpRWWqRrpleUlFmekZJbmJmjq6hgZlebmpxcWJ6ak5iUrFecn7uJkZgR DEAwQ7GeSf8DzFKcjApifI+u7guQogvKT+lMiOxOCO+qDQntfgQowwHh5IE7/03QDnBotT01I q0zBxgbMOkJTh4lER4dYHxLcRbXJCYW5yZDpE6xajLcWTzkTdMQix5+XmpUuK820FmCIAUZZT mwY2ApZlLjLJSwryMQEcJ8RSkFuVmlqDKv2IU52BUEubdDTKFJzOvBG7TK6AjmICOsHReC3JE SSJCSqqB8fqvvJ1Vq/v/nZtf8kZ3SVG4aWaZSHXpsVB9K8cfP/yN79bf3bvhIPfGHzzmPJs+t z94Z3rsAfOtbRWhcx/JNHV2T1zPkpw44Us+y5mmBduWxG32X5SUmS/ZaJnmzFhuuWPiXw0eHe fZhlNdZi+/5+m203zfAdMphevTJ9yZqV/+vEdtUbZMuxJLcUaioRZzUXEiACuT+5kuAwAA X-Env-Sender: nick.heatley@ee.co.uk X-Msg-Ref: server-8.tower-27.messagelabs.com!1487859099!78253732!1 X-Originating-IP: [149.254.241.76] X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10092 invoked from network); 23 Feb 2017 14:11:39 -0000 Received: from unknown (HELO smtpml01.ee.co.uk) (149.254.241.76) by server-8.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 23 Feb 2017 14:11:39 -0000 Received: from EEUKWV0940.EEAD.EEINT.CO.UK (Not Verified[10.246.209.217]) by smtpml01.ee.co.uk with Trustwave SEG (v7, 5, 6, 8438) id ; Thu, 23 Feb 2017 14:11:34 +0000 Received: from UK30S005EXS02.EEAD.EEINT.CO.UK (Not Verified[10.246.208.14]) by EEUKWV0940.EEAD.EEINT.CO.UK with Trustwave SEG (v7, 3, 6, 7949) id ; Thu, 23 Feb 2017 14:11:38 +0000 Received: from UK30S005EXS06.EEAD.EEINT.CO.UK ([fe80::314c:b96c:4a9a:8a79]) by UK30S005EXS02.EEAD.EEINT.CO.UK ([2002:62c:2a4f::62c:2a4f]) with mapi id 14.03.0279.002; Thu, 23 Feb 2017 14:11:37 +0000 From: "Heatley, Nick" To: Mark Andrews Thread-Topic: [sunset4] future of dnssec? Thread-Index: AdKNBnRIe2inw1ZcRtC42Vzko3pn/gADhDcAAAEj9/oAANTjAAAMrNV3ABzaT4AABM3muwAB0iyQ Date: Thu, 23 Feb 2017 14:11:36 +0000 Message-ID: <6536E263028723489CCD5B6821D4B21334D575CE@UK30S005EXS06.EEAD.EEINT.CO.UK> References: <6536E263028723489CCD5B6821D4B21334D566F0@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170222143629.9E9C56454B08@rock.dv.isc.org> <8C2DC5DB-88CA-4541-BE50-C23088F77867@viagenie.ca> <20170222210305.97EB36455CD0@rock.dv.isc.org> <6536E263028723489CCD5B6821D4B21334D5732A@UK30S005EXS06.EEAD.EEINT.CO.UK> <20170223130652.4D3A664684D7@rock.dv.isc.org> In-Reply-To: <20170223130652.4D3A664684D7@rock.dv.isc.org> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.246.208.5] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: Marc Blanchet , "sunset4@ietf.org"