Re: v6ops-nat64-pb-statement-req: DNSSEC requirement

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

Thomas Narten escribió:
> draft-ietf-v6ops-nat64-pb-statement-req-00.txt says:
>
>   
> >    R10: DNSSec support
> >
> >    DNSSec support MUST NOT be prevented.
> >    o  R10.1: In particular, if an IPv6 node is initiating a
> >       communication with an IPv4 that is located behind a translator,
> >       the IPv6 initiator MUST be able to perform DNSSec verification of
> >       the DNS information of the IPv4 target. (strong consensus on this
> >       one).
> >     
>
>
>   
> >    o  R10.2: In particular, if an IPv4 node is initiating a
> >       communication with an IPv6 that is located behind a translator,
> >       the IPv4 initiator MUST be able to perform DNSSec verification of
> >       the DNS information of the IPv4 target.  This may require the
> >       modification of the IPv4 node as well. (not clear if there
> >       consensus on this one)
> >     
>
> Maybe I don't understand what the above means, but it seems to me to
> be unworkable. I.e., If an IPv6 node requests an AAAA record for an
> IPv4-only node, there won't be a AAAA record and it will need to be
> synthesized. By definition, such a synthesized DNS RR won't be
> verifiable via DNSSEC because it is in fact an unauthorized
> fabrication.
>
> What am I missing here?
>   

if the verification is performed before the synthesis of the RR and 
there is a trsut relationship betwen the receiver and the node that has 
performed the verification and synthesis, this should do it. In 
particular, if everything happens at the end node, we are in business, 
right?
(i.e. the v6 end node asks for the A RR, perfomrs the dnssec validation 
and then internally generates the v6 address)

it is not so trivial for the v4 case though (actually i think it is not 
possible for the v4 case, hence the question mark)

Regards, marcelo

> Thomas
>
>
>