> On 19 Jun 2018, at 11:35 am, Ted Lemon <mel...@fugue.com> wrote: > > You should steal the text from the dot home RFC. > > On Mon, Jun 18, 2018 at 9:30 PM David Schinazi <dschin...@apple.com> wrote: > Hi, responses inline. > >> On Tue, Jun 12, 2018 at 11:16 PM Mark Andrews <ma...@isc.org> wrote: >> >> This does not meet my requirements. There is zero need for any part of the >> normal DNS resolution >> process to know the IPV4ONLY.ARPA is special if IANA stopped signing the >> zone. > > Could you take a look at draft-cheshire-sudn-ipv4only-dot-arpa please? It > explains why some parts of the DNS resolution process do need to treat > ipv4only.arpa as special, regardless of DNSSEC. > >> On Jun 13, 2018, at 19:19, Warren Kumari <war...@kumari.net> wrote: >> >> I read that a few times, and even when squinting I cannot figure out how >> that is supposed to work. Can someone enlighten me? I can see how a signed >> ipv4only.arpa allows a validating DNS64 server to validate the (well known!) >> v4 addresses, but the malicious AAAA RR detection bit confuses me... > > I agree, there is no point in signing the A records for ipv4only.arpa since > they are well-known, and for the same reason there is no point in checking > it. So having A records signed or unsigned is irrelevant since no one should > be querying for these A records anyway. Similarly, since the whole purpose of > the AAAA records for ipv4only.arpa is to be overridden by a DNS64 recursive > resolver which is not owned by .arpa, checking signatures will not validate > anything useful.
No. You expect DNS64 recursive server to query for them as part of the synthesis process when they get a request from a device that is attempting to configuring the CLAT service by asking for the AAAA records for ipv4only.arpa. And to be pedantic one is overriding the NODATA response as there are no AAAA records for ipv4only.arpa. > I agree with Mark's point that queries will fail when the client is behind a > validating resolver that has no special knowledge of ipv4only.arpa. > > To resolve this, we'll update draft-cheshire-sudn-ipv4only-dot-arpa to > mention that ipv4only.arpa MUST NOT be signed. > > Thanks, > David > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
