From: Mark Andrews <marka@isc.org>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] Apple ECN, Bufferbloat, CoDel
Date: Sun, 14 Jun 2015 10:28:07 +1000 [thread overview]
Message-ID: <20150614002808.B297C309397F@rock.dv.isc.org> (raw)
In-Reply-To: Your message of "Sat, 13 Jun 2015 19:11:19 +0200." <alpine.DEB.2.02.1506131908320.9487@uplift.swm.pp.se>
In message <alpine.DEB.2.02.1506131908320.9487@uplift.swm.pp.se>, Mikael Abraha
msson writes:
> On Sat, 13 Jun 2015, Dave Taht wrote:
>
> > I don't understand how badly this is going to break dnssec. dnsmasq in
> > particular has been dealing with edge case after edge case on dnssec for
> > the last few months, and it was my hope we'd finally got them all.
>
> DNS64 breaks DNSSEC because it creates an AAAA response where none is
> present in the zone being queried. It's basically doing MITM for DNS,
> which is exactly what DNSSEC was supposed to fix.
>
> DNSSEC would work if Apple decided to just do NAT64 discovery and then do
> their own DNS64 in the host, but I have no information as to what is being
> done here.
>
> At least DNSSEC still works between the Internet and the ISP DNS64
> resolver, but the end host won't be able to verify the response using
> DNSSEC.
RFC 6147 is total broken when it talks about DNSSEC. The WG wanted
so much for there to be a bit that said "validation will be performed
on this answer" that they stopped listening. There is no such bit
or combination of bits.
NAT64 and DNS64 need to die. There are much better solutions to
providing IPv4 over IPv6 than NAT64 and DNS64 and 464XLAT that grew
from NAT64 and DNS64.
MAP and DS-Lite are better solutions. They work with DNSSEC. They
have the same PMTUD issues as NAT64. Address selection rules provide
enough bias towards IPv6.
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
next prev parent reply other threads:[~2015-06-14 0:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-13 16:07 Mikael Abrahamsson
2015-06-13 16:52 ` Dave Taht
2015-06-13 17:11 ` Mikael Abrahamsson
2015-06-14 0:28 ` Mark Andrews [this message]
2015-06-14 2:09 ` Henrique de Moraes Holschuh
2015-06-13 16:55 ` Jonathan Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150614002808.B297C309397F@rock.dv.isc.org \
--to=marka@isc.org \
--cc=bloat@lists.bufferbloat.net \
--cc=swmike@swm.pp.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox