From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <swmike@swm.pp.se>
Received: from uplift.swm.pp.se (ipv6.swm.pp.se [IPv6:2a00:801::f])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id F3C8121F34E
	for <bloat@lists.bufferbloat.net>; Sat, 13 Jun 2015 10:11:22 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501)
	id BD0C8A1; Sat, 13 Jun 2015 19:11:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail;
	t=1434215479; bh=qd90+A7gCGoANhzB42zpHnW1SMLDE8xXTYPx0SJrbhI=;
	h=Date:From:To:cc:Subject:In-Reply-To:References:From;
	b=Fk+csW7KfoWmNeKpWHcDRMwT2HkfRZlHzLT9cnO9Yy5IYEOFCyKTV9HKG34kkWMO2
	W6UET1SG1nRPbxDYX45xN4CFKWLjZgVFEhp90FMwdrRbpO77SLS+/PTPOO5KnGjyCK
	/iBh0gB5zuhg53sCotto2UQHx84lb4xRvJib+Ndc=
Received: from localhost (localhost [127.0.0.1])
	by uplift.swm.pp.se (Postfix) with ESMTP id B108E9F;
	Sat, 13 Jun 2015 19:11:19 +0200 (CEST)
Date: Sat, 13 Jun 2015 19:11:19 +0200 (CEST)
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Dave Taht <dave.taht@gmail.com>
In-Reply-To: <CAA93jw544AL0VCqK3_CQ6+RVtraqhAY6DnWS1r8TSK_hdT6DfA@mail.gmail.com>
Message-ID: <alpine.DEB.2.02.1506131908320.9487@uplift.swm.pp.se>
References: <alpine.DEB.2.02.1506131759180.9487@uplift.swm.pp.se>
	<CAA93jw544AL0VCqK3_CQ6+RVtraqhAY6DnWS1r8TSK_hdT6DfA@mail.gmail.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] Apple ECN, Bufferbloat, CoDel
X-BeenThere: bloat@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: General list for discussing Bufferbloat <bloat.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/bloat>,
	<mailto:bloat-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/bloat>
List-Post: <mailto:bloat@lists.bufferbloat.net>
List-Help: <mailto:bloat-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/bloat>,
	<mailto:bloat-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sat, 13 Jun 2015 17:11:51 -0000

On Sat, 13 Jun 2015, Dave Taht wrote:

> I don't understand how badly this is going to break dnssec. dnsmasq in 
> particular has been dealing with edge case after edge case on dnssec for 
> the last few months, and it was my hope we'd finally got them all.

DNS64 breaks DNSSEC because it creates an AAAA response where none is 
present in the zone being queried. It's basically doing MITM for DNS, 
which is exactly what DNSSEC was supposed to fix.

DNSSEC would work if Apple decided to just do NAT64 discovery and then do 
their own DNS64 in the host, but I have no information as to what is being 
done here.

At least DNSSEC still works between the Internet and the ISP DNS64 
resolver, but the end host won't be able to verify the response using 
DNSSEC.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se