[Bloat] Apple ECN, Bufferbloat, CoDel

Mark Andrews marka at isc.org
Sat Jun 13 20:28:07 EDT 2015


In message <alpine.DEB.2.02.1506131908320.9487 at uplift.swm.pp.se>, Mikael Abraha
msson writes:
> On Sat, 13 Jun 2015, Dave Taht wrote:
> 
> > I don't understand how badly this is going to break dnssec. dnsmasq in 
> > particular has been dealing with edge case after edge case on dnssec for 
> > the last few months, and it was my hope we'd finally got them all.
> 
> DNS64 breaks DNSSEC because it creates an AAAA response where none is 
> present in the zone being queried. It's basically doing MITM for DNS, 
> which is exactly what DNSSEC was supposed to fix.
> 
> DNSSEC would work if Apple decided to just do NAT64 discovery and then do 
> their own DNS64 in the host, but I have no information as to what is being 
> done here.
> 
> At least DNSSEC still works between the Internet and the ISP DNS64 
> resolver, but the end host won't be able to verify the response using 
> DNSSEC.

RFC 6147 is total broken when it talks about DNSSEC.  The WG wanted
so much for there to be a bit that said "validation will be performed
on this answer" that they stopped listening.  There is no such bit
or combination of bits.

NAT64 and DNS64 need to die.  There are much better solutions to
providing IPv4 over IPv6 than NAT64 and DNS64 and 464XLAT that grew
from NAT64 and DNS64.

MAP and DS-Lite are better solutions.  They work with DNSSEC.  They
have the same PMTUD issues as NAT64.  Address selection rules provide
enough bias towards IPv6.

> -- 
> Mikael Abrahamsson    email: swmike at swm.pp.se
> _______________________________________________
> Bloat mailing list
> Bloat at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the Bloat mailing list