> On 6 Jul 2018, at 10:28 am, Ted Lemon <mel...@fugue.com> wrote:
> 
> If special handling is required for ipv4only.arpa, isn't it also required for 
> home.arpa?   I tested this a bit and it doesn't appear to be necessary.   I 
> suppose a stub resolver could in principle walk down from the root and notice 
> the discrepancy in the NS records in the delegation, but in practice they 
> don't do this, because it's not necessary: if it were intended that the zone 
> be secure, it would be signed and have a signed delegation.

For HOME.ARPA the border is the CPE routers.  They can just 
intercept/redirect/proxy
queries as they are on path.  That said dedicated servers would allow for 
clients
to cleanly tie server properties to addresses (EDNS, DNS-COOKIE, whatever else 
we
dream up).  CPE’s could instantiate the well know address.  We don’t want to 
force
the CPE devices to have to do DPI for HOME.ARPA.

It would help but is not a critical.

> On Thu, Jul 5, 2018 at 6:37 PM, Mark Andrews <ma...@isc.org> wrote:
> Most of the special handling could be avoided if IANA was instructed to run 
> the servers for ipv4only.arpa on dedicated addresses. Hosts routes could then 
> be installed for those address that redirect traffic for ipv4only.arpa to the 
> ISP’s DNS64/ipv4only.arpa server. 
> 
> Perhaps 2 address blocks could be allocated for this purpose. One for ipv4 
> and one for ipv6. 
> 
> -- 
> Mark Andrews
> 
> On 5 Jul 2018, at 20:05, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote:
> 
> >> draft-cheshire-sudn-ipv4only-dot-arpa document
> > 
> > Section 7.1:
> > "Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' as
> > "special and MUST give it special treatment. 
> > 
> > It seems to me that it is going way to far to require all DNS software to
> > implement support for a hack that abuses DNS for configuration management of
> > a rather poor IPv4 transition technology.
> > 
> > I think the more obvious approach is to formally deprecate RFC 7050 and
> > require nodes that need to do NAT64 address synthesis use one of the other
> > methods for obtaining the NAT64 prefix.
> > 
> > The only part of the draft that makes sense to me is to make ipv4only.arpa
> > an insecure delegation. 
> > 
> > Any other problems are better solved by deprecating RFC 7050.
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to