Hello dnsop and v6ops, I've written a draft that proposes updates to RFC 7050, which defined the mechanism for discovering the network's IPv6 translation prefix using a DNS query for ipv4only.arpa. RFC 7050 also defined "secure channel" such that clients SHOULD use IPsec or similar to secure communications with the DNS64 server.
However, since 7050 was published, various encrypted DNS protocols combined with DNR (RFC 9463) allows DNS64 servers to have their encrypted DNS config directly advertised by the network and nodes can then use DoT, DoH, or DoQ to securely communicate with the DNS64 server. This text updates 7050 to recommend that approach, along with discouraging use of the previously defined DNSSEC mechanism (since the name of the resolver is now known and can be confirmed using TLS). Given the behave WG has disbanded, Warren recommended I approach dnsop for initial discussion and include v6ops for discussion (for v6ops context: this is part of the secondary work that came out of the draft Jen and I are writing for CLAT Best Practices). I am seeking feedback on whether updating 7050 is the correct approach, and more generally, if there's interest in taking up work in the area of "revisiting how a stub resolver should secure its communication with a DNS64 resolver". Thanks, Tommy P.S. I noticed I ended up with the 2119 section at the bottom... oh well, next time. ________________________________ From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Tuesday, June 25, 2024 10:37 PM To: Tommy Jensen Subject: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt A new version of Internet-Draft draft-jens-7050-secure-channel-00.txt has been successfully submitted by Tommy Jensen and posted to the IETF repository. Name: draft-jens-7050-secure-channel Revision: 00 Title: Redefining Secure Channel for ipv4only.arpa IPv6 Prefix Discovery Date: 2024-06-26 Group: Individual Submission Pages: 11 URL: https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.txt Status: https://datatracker.ietf.org/doc/draft-jens-7050-secure-channel/ HTML: https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-jens-7050-secure-channel Abstract: This document updates [RFC7050] to redefine the term "secure channel" and modify requirements for nodes and DNS64 servers to use more recent developments in DNS security. The IETF Secretariat
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org