> On 6 Jul 2018, at 10:28 am, Ted Lemon <mel...@fugue.com> wrote: > > If special handling is required for ipv4only.arpa, isn't it also required for > home.arpa? I tested this a bit and it doesn't appear to be necessary. I > suppose a stub resolver could in principle walk down from the root and notice > the discrepancy in the NS records in the delegation, but in practice they > don't do this, because it's not necessary: if it were intended that the zone > be secure, it would be signed and have a signed delegation.
For HOME.ARPA the border is the CPE routers. They can just intercept/redirect/proxy queries as they are on path. That said dedicated servers would allow for clients to cleanly tie server properties to addresses (EDNS, DNS-COOKIE, whatever else we dream up). CPE’s could instantiate the well know address. We don’t want to force the CPE devices to have to do DPI for HOME.ARPA. It would help but is not a critical. > On Thu, Jul 5, 2018 at 6:37 PM, Mark Andrews <ma...@isc.org> wrote: > Most of the special handling could be avoided if IANA was instructed to run > the servers for ipv4only.arpa on dedicated addresses. Hosts routes could then > be installed for those address that redirect traffic for ipv4only.arpa to the > ISP’s DNS64/ipv4only.arpa server. > > Perhaps 2 address blocks could be allocated for this purpose. One for ipv4 > and one for ipv6. > > -- > Mark Andrews > > On 5 Jul 2018, at 20:05, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote: > > >> draft-cheshire-sudn-ipv4only-dot-arpa document > > > > Section 7.1: > > "Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' as > > "special and MUST give it special treatment. > > > > It seems to me that it is going way to far to require all DNS software to > > implement support for a hack that abuses DNS for configuration management of > > a rather poor IPv4 transition technology. > > > > I think the more obvious approach is to formally deprecate RFC 7050 and > > require nodes that need to do NAT64 address synthesis use one of the other > > methods for obtaining the NAT64 prefix. > > > > The only part of the draft that makes sense to me is to make ipv4only.arpa > > an insecure delegation. > > > > Any other problems are better solved by deprecating RFC 7050. > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
