In message <cad6ajgs9gf3ax_exo8fbii-tyfhha6cdukxeqxjvodqsxsx...@mail.gmail.com> , Ca By writes: > --f403045f4faec156e8054920dd00 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > On Wed, Feb 22, 2017 at 6:36 AM Mark Andrews <[email protected]> wrote: > > > > > In message <[email protected]>, Ted Lemon > > writes: > > > > > > Nick, the solution to this is to do DNS64 in the validator. If the > > > validator is a stub resolver, do the DNS64 hack there. AFAIK the > > > technology to support this already exists. > > > > DNS64 really should just be made historic. It does not work with > > DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > > provides NO BENEFIT over other methods. Every proported benefit > > turns out not to exist. > > > > Go do the comparitive analysis. > > > From a network with 10s of millions of nat64 users and zero dnssec, I > disagree and suggest dnssec move to historic since it is a ddos attack > vector and provides no privacy element and generally weak cryto ... also it > has caused many wide scale outages for networks that have elected to use > it.
Well I was meaning to compare with other IPv4 as a service solutions but if you want to go here. DNSSEC issues are really no worse that any other DNS delegation misconfigurations that happen. Have you actually run behind a valdating DNSSEC resolver or are you looking in from the outside. DNSSEC really isn't that hard to do right. I've actually been running behind DNSSEC validating resolvers for a decade now using DNS data that is signed all the way down. Mark > > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <[email protected]> > > > wrote: > > > > > > > > Post exhaustion, the majority of cellular networks and some public wi= > fi > > > networks will use DNS64. > > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records only= > =E2=80=9D is > > > broken. > > > > Is this the reason why all content must go v6? > > > > Or is the case for DNSSEC still questionable? > > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A record= > s only=E2=80=9D > > > can be intact? > > > > > > > > NOTICE AND DISCLAIMER > > > > This email contains BT information, which may be privileged or > > > confidential. It's meant only for the individual(s) or entity named > > > above. > > > > If you're not the intended recipient, note that disclosing, copying, > > > distributing or using this information is prohibited. > > > > If you've received this email in error, please let me know immediatel= > y > > > on the email address above. Thank you. > > > > > > > > We monitor our email system, and may record your emails. > > > > > > > > EE Limited > > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshir= > e, > > > AL10 9BW > > > > Registered in England no: 02382161 > > > > > > > > EE Limited is a wholly owned subsidiary of: > > > > > > > > British Telecommunications plc > > > > Registered office: 81 Newgate Street London EC1A 7AJ > > > > Registered in England no: 1800000 > > > > > > > > _______________________________________________ > > > > sunset4 mailing list > > > > [email protected] <mailto:[email protected]> > > > > https://www.ietf.org/mailman/listinfo/sunset4 > > > <https://www.ietf.org/mailman/listinfo/sunset4> > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > > > _______________________________________________ > > sunset4 mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/sunset4 > > > > --f403045f4faec156e8054920dd00 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div><br><div class=3D"gmail_quote"><div>On Wed, Feb 22, 2017 at 6:36 AM Ma= > rk Andrews <<a href=3D"mailto:[email protected]";>[email protected]</a>> wrote= > :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor= > der-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_msg"> > In message <<a href=3D"mailto:B5E8C545-55B9-4ECB-B0C8-C3EEFEECD320@fugue= > .com" class=3D"gmail_msg" target=3D"_blank">B5E8C545-55B9-4ECB-B0C8-C3EEFEE= > [email protected]</a>>, Ted Lemon writes:<br class=3D"gmail_msg"> > ><br class=3D"gmail_msg"> > > Nick, the solution to this is to do DNS64 in the validator.=C2=A0 =C2= > =A0If the<br class=3D"gmail_msg"> > > validator is a stub resolver, do the DNS64 hack there.=C2=A0 =C2=A0AFA= > IK the<br class=3D"gmail_msg"> > > technology to support this already exists.<br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > DNS64 really should just be made historic.=C2=A0 It does not work with<br c= > lass=3D"gmail_msg"> > DNSSEC.=C2=A0 There has NEVER been a NEED for NAT64 or DNS64.=C2=A0 They<br= > class=3D"gmail_msg"> > provides NO BENEFIT over other methods.=C2=A0 Every proported benefit<br cl= > ass=3D"gmail_msg"> > turns out not to exist.<br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > Go do the comparitive analysis.</blockquote><div><br></div><div>From a netw= > ork with 10s of millions of nat64 users and zero dnssec, I disagree and sug= > gest dnssec move to historic since it is a ddos attack vector and provides = > no privacy element and generally weak cryto ... also it has caused many wid= > e scale outages for networks that have elected to use it.=C2=A0</div><div><= > br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0= > 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class=3D"gmail_m= > sg"> > <br class=3D"gmail_msg"> > > > On Feb 22, 2017, at 7:23 AM, Heatley, Nick <<a href=3D"mailto:= > [email protected]" class=3D"gmail_msg" target=3D"_blank">nick.heatley@e= > e.co.uk</a>><br class=3D"gmail_msg"> > > wrote:<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > Post exhaustion, the majority of cellular networks and some publi= > c wifi<br class=3D"gmail_msg"> > > networks will use DNS64.<br class=3D"gmail_msg"> > > > DNSSEC and DNS64 do not get along. DNSSEC for =E2=80=9CA records = > only=E2=80=9D is<br class=3D"gmail_msg"> > > broken.<br class=3D"gmail_msg"> > > > Is this the reason why all content must go v6?<br class=3D"gmail_= > msg"> > > > Or is the case for DNSSEC still questionable?<br class=3D"gmail_m= > sg"> > > > Or do end hosts need to perform DNS64 so =E2=80=9CDNSSEC for A re= > cords only=E2=80=9D<br class=3D"gmail_msg"> > > can be intact?<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > NOTICE AND DISCLAIMER<br class=3D"gmail_msg"> > > > This email contains BT information, which may be privileged or<br= > class=3D"gmail_msg"> > > confidential. It's meant only for the individual(s) or entity name= > d<br class=3D"gmail_msg"> > > above.<br class=3D"gmail_msg"> > > > If you're not the intended recipient, note that disclosing, c= > opying,<br class=3D"gmail_msg"> > > distributing or using this information is prohibited.<br class=3D"gmai= > l_msg"> > > > If you've received this email in error, please let me know im= > mediately<br class=3D"gmail_msg"> > > on the email address above. Thank you.<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > We monitor our email system, and may record your emails.<br class= > =3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > EE Limited<br class=3D"gmail_msg"> > > > Registered office:Trident Place, Mosquito Way, Hatfield, Hertford= > shire,<br class=3D"gmail_msg"> > > AL10 9BW<br class=3D"gmail_msg"> > > > Registered in England no: 02382161<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > EE Limited is a wholly owned subsidiary of:<br class=3D"gmail_msg= > "> > > ><br class=3D"gmail_msg"> > > > British Telecommunications plc<br class=3D"gmail_msg"> > > > Registered office: 81 Newgate Street London EC1A 7AJ<br class=3D"= > gmail_msg"> > > > Registered in England no: 1800000<br class=3D"gmail_msg"> > > ><br class=3D"gmail_msg"> > > > _______________________________________________<br class=3D"gmail= > _msg"> > > > sunset4 mailing list<br class=3D"gmail_msg"> > > > <a href=3D"mailto:[email protected]"; class=3D"gmail_msg" target=3D= > "_blank">[email protected]</a> <mailto:<a href=3D"mailto:[email protected]= > " class=3D"gmail_msg" target=3D"_blank">[email protected]</a>><br class= > =3D"gmail_msg"> > > > <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4"; rel=3D"= > noreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mail= > man/listinfo/sunset4</a><br class=3D"gmail_msg"> > > <<a href=3D"https://www.ietf.org/mailman/listinfo/sunset4"; rel=3D"n= > oreferrer" class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailm= > an/listinfo/sunset4</a>><br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > --<br class=3D"gmail_msg"> > Mark Andrews, ISC<br class=3D"gmail_msg"> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br class=3D"gmail_msg"> > PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= > =A0 =C2=A0INTERNET: <a href=3D"mailto:[email protected]"; class=3D"gmail_msg" ta= > rget=3D"_blank">[email protected]</a><br class=3D"gmail_msg"> > <br class=3D"gmail_msg"> > _______________________________________________<br class=3D"gmail_msg"> > sunset4 mailing list<br class=3D"gmail_msg"> > <a href=3D"mailto:[email protected]"; class=3D"gmail_msg" target=3D"_blank">s= > [email protected]</a><br class=3D"gmail_msg"> > <a href=3D"https://www.ietf.org/mailman/listinfo/sunset4"; rel=3D"noreferrer= > " class=3D"gmail_msg" target=3D"_blank">https://www.ietf.org/mailman/listin= > fo/sunset4</a><br class=3D"gmail_msg"> > </blockquote></div></div> > > --f403045f4faec156e8054920dd00-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ sunset4 mailing list [email protected] https://www.ietf.org/mailman/listinfo/sunset4
