From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.isc.org", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 3C84B21F1A8 for ; Sat, 13 Jun 2015 17:28:13 -0700 (PDT) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 51C463493ED; Sun, 14 Jun 2015 00:28:11 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 971F0160053; Sun, 14 Jun 2015 00:28:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7E49E160071; Sun, 14 Jun 2015 00:28:46 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id CFJIsMFDtNgp; Sun, 14 Jun 2015 00:28:46 +0000 (UTC) Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 363E9160053; Sun, 14 Jun 2015 00:28:46 +0000 (UTC) Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id B297C309397F; Sun, 14 Jun 2015 10:28:08 +1000 (EST) To: Mikael Abrahamsson From: Mark Andrews References: In-reply-to: Your message of "Sat, 13 Jun 2015 19:11:19 +0200." Date: Sun, 14 Jun 2015 10:28:07 +1000 Message-Id: <20150614002808.B297C309397F@rock.dv.isc.org> X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org Cc: bloat Subject: Re: [Bloat] Apple ECN, Bufferbloat, CoDel X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2015 00:28:42 -0000 In message , Mikael Abraha msson writes: > On Sat, 13 Jun 2015, Dave Taht wrote: > > > I don't understand how badly this is going to break dnssec. dnsmasq in > > particular has been dealing with edge case after edge case on dnssec for > > the last few months, and it was my hope we'd finally got them all. > > DNS64 breaks DNSSEC because it creates an AAAA response where none is > present in the zone being queried. It's basically doing MITM for DNS, > which is exactly what DNSSEC was supposed to fix. > > DNSSEC would work if Apple decided to just do NAT64 discovery and then do > their own DNS64 in the host, but I have no information as to what is being > done here. > > At least DNSSEC still works between the Internet and the ISP DNS64 > resolver, but the end host won't be able to verify the response using > DNSSEC. RFC 6147 is total broken when it talks about DNSSEC. The WG wanted so much for there to be a bit that said "validation will be performed on this answer" that they stopped listening. There is no such bit or combination of bits. NAT64 and DNS64 need to die. There are much better solutions to providing IPv4 over IPv6 than NAT64 and DNS64 and 464XLAT that grew from NAT64 and DNS64. MAP and DS-Lite are better solutions. They work with DNSSEC. They have the same PMTUD issues as NAT64. Address selection rules provide enough bias towards IPv6. > -- > Mikael Abrahamsson email: swmike@swm.pp.se > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org