Re: v6ops-nat64-pb-statement-req: DNSSEC requirement

[Thomas Narten <narten@us.ibm.com>]

marcelo bagnulo braun <marcelo@it.uc3m.es> writes:

> if the verification is performed before the synthesis of the RR and 
> there is a trsut relationship betwen the receiver and the node that has 
> performed the verification and synthesis, this should do it.

Well, yes, but there are an awful lot of ifs in the above. Certainly
more than are appropriate for the original MUST requirement.

> In particular, if everything happens at the end node, we are in
> business, right?  (i.e. the v6 end node asks for the A RR, perfomrs
> the dnssec validation and then internally generates the v6 address)

Ahem. If the end node is doing this, why isn't it just doing dual
stack? After all, it (or rather the embedded translator) is sending
out IPv4...

> it is not so trivial for the v4 case though (actually i think it is not 
> possible for the v4 case, hence the question mark)

In other words, the MUST needs some serious scoping. If it makes
sense at all.

I'm still not sure this requirement is acheivable in practice. So I'm
not at all sure it is appropriate to make it a MUST, at least not
without a lot more text explaining what is meant.

Thomas