[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and DNSSec

To: marcelo bagnulo <marcelo@it.uc3m.es>
Subject: Re: NAT64 and DNSSec
From: Hesham Soliman <hesham@elevatemobile.com>
Date: Fri, 28 Mar 2008 09:07:12 +1100
Cc: v6ops@ops.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, joao@isc.org, Iljitsch van Beijnum <iljitsch@muada.com>, Liman Lars-Johan <liman@autonomica.se>, Ihrén Johan <johani@autonomica.se>, mcr@sandelman.ca, Mark_Andrews@isc.org
In-reply-to: <47EA94A0.20503@it.uc3m.es>
References: <47EA94A0.20503@it.uc3m.es>

- Levels of support.
- Level 0: we don't anything special in the synthetic DNS reply. thetranslator just drops the DNSSec information and creates thesynthethic DNS RR. the host recives it and doesn't know it issynthetic DNS RR. If it tries to validate it, it won't be able to dothat, cause there is no DNSSec information. this may result inadditional difficulties in DNSSec deployments, since if the usage ofNAT64 boxes becomes pervasive, then unsigned DNS replies will becomecommon and hosts need to accept them, since this is how the NAT64boxes generate them.
- Level 1: We could add a tag on the DNS reply, EDNS0, marking theseas synthetic RR, so the receiving host knows these are fake but thatit should accept them anyway. this doesn't really solve the problemdescribed above, but at least DNS semantics are preserved, sincesynthtic RR are explicitly marked and receivers know about that.(Questio for DNS guys, do normal hosts accept DNS replies contianingEDNS0 tags that they don't know? or they drop these replies?)
- Level 2: another option is to include both the EDNS0 tag and alsothe original information of the original RR, including the originaladdress and the signature information. this would allow to verifythe original packet, but then we need to verify the binding betweenthe original address and the one actually included int eh syntheticDNS RR. In the case of v6 initiated communications, this is possiblecause the v6 address included in the synthtic record is related tothe original v4 address. In the v4 initiated communication, i am notsure how useful would that be.
- Level 3: extend DNSsec verification to soemwhere near the reciver.This would mean that it is not the NAT64 that generates the synthticDNS RR but some other box, closer to the receiver does that, priorDNSSec verification. the problem with this approach is how the otherbox gets the address information that should be included int hesynthetic RR. As above, in the v6 initiated case it may be possiblecause the v6 address can be constructed from the v4 address, but inthe v4 initated case, we need some for of communication with the NATbox, which is hardly a good idea.
- Level 4: generate the synthetic RR locally in the receiving node.this would be perfect, but is simply incopatible with therequirement of not modifying v4 nodes.
so, my questions are:
- are there any other levels of support/options?
- If not, what level should we require?

=> Personally I prefer discussing the requirements without mentioninghow it can be addressed in the solution :) but that might be tooidealistic. I don't see a need to require something that we can'tsupport, i.e. DNSSEC. With NAT64 other IETF security protocols willnot work anyway, so I'm not sure that DNS should be a special case.Also, I'm against requiring any special tricks in the host, it'sreally late for that IMHO.


Hesham



Regards, marcelo

Follow-Ups:
- Re: NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

References:
- NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

Prev by Date: Re: NAT64 and DNSSec
Next by Date: Re: NAT64 and DNSSec
Previous by thread: Re: NAT64 and DNSSec
Next by thread: Re: NAT64 and DNSSec
Index(es):
- Date
- Thread