Hello dnsop and v6ops,

I've written a draft that proposes updates to RFC 7050, which defined the 
mechanism for discovering the network's IPv6 translation prefix using a DNS 
query for ipv4only.arpa. RFC 7050 also defined "secure channel" such that 
clients SHOULD use IPsec or similar to secure communications with the DNS64 
server.

However, since 7050 was published, various encrypted DNS protocols combined 
with DNR (RFC 9463) allows DNS64 servers to have their encrypted DNS config 
directly advertised by the network and nodes can then use DoT, DoH, or DoQ to 
securely communicate with the DNS64 server. This text updates 7050 to recommend 
that approach, along with discouraging use of the previously defined DNSSEC 
mechanism (since the name of the resolver is now known and can be confirmed 
using TLS).

Given the behave WG has disbanded, Warren recommended I approach dnsop for 
initial discussion and include v6ops for discussion (for v6ops context: this is 
part of the secondary work that came out of the draft Jen and I are writing for 
CLAT Best Practices). I am seeking feedback on whether updating 7050 is the 
correct approach, and more generally, if there's interest in taking up work in 
the area of "revisiting how a stub resolver should secure its communication 
with a DNS64 resolver".

Thanks,
Tommy

P.S. I noticed I ended up with the 2119 section at the bottom... oh well, next 
time.

________________________________
From: internet-dra...@ietf.org <internet-dra...@ietf.org>
Sent: Tuesday, June 25, 2024 10:37 PM
To: Tommy Jensen
Subject: [EXTERNAL] New Version Notification for 
draft-jens-7050-secure-channel-00.txt

A new version of Internet-Draft draft-jens-7050-secure-channel-00.txt has been
successfully submitted by Tommy Jensen and posted to the
IETF repository.

Name:     draft-jens-7050-secure-channel
Revision: 00
Title:    Redefining Secure Channel for ipv4only.arpa IPv6 Prefix Discovery
Date:     2024-06-26
Group:    Individual Submission
Pages:    11
URL:      https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.txt
Status:   https://datatracker.ietf.org/doc/draft-jens-7050-secure-channel/
HTML:     https://www.ietf.org/archive/id/draft-jens-7050-secure-channel-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-jens-7050-secure-channel


Abstract:

   This document updates [RFC7050] to redefine the term "secure channel"
   and modify requirements for nodes and DNS64 servers to use more
   recent developments in DNS security.



The IETF Secretariat


_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to