On Thu, Dec 4, 2014 at 10:02 PM, George Michaelson
<ggm(_at_)algebras(_dot_)org> wrote:
Hang on.. the deployment of DNSSEC backed applications is a bit iffy if we
depend on deployment of DNS based tricks to cover for V4/V6 interoperation
surely?
Not at all.
If it isn't a public key or a security policy, an application has
absolutely no reason to validate DNSSEC chains. Since an A or AAAA record
isn't pointing to an authenticated endpoint, authentication at the client
is spurious.
There is value in validating A, AAAA etc. records at the resolver and there
is value in validating TLSA records at the application.
This is why we need DPRIV to provide authentication of the connection
between the client and its trusted resolver.
On Thu, Dec 4, 2014 at 11:07 PM, Mark Andrews <marka(_at_)isc(_dot_)org> wrote:
In message <
CAKr6gn1e+Cq6v_eoPMFOpGmffX5jMeTzym3Q0DSD37zL649yhA(_at_)mail(_dot_)gmail(_dot_)com>
, George Michaelson writes:
Hang on.. the deployment of DNSSEC backed applications is a bit iffy if
we
depend on deployment of DNS based tricks to cover for V4/V6
interoperation
surely?
-G
Agreed but people still seemed to want it despite it breaking DNSSEC.
They seemed to think that it was the only way to get to IPv6 only
which is isn't. DS-Lite host mode will get you to a IPv6 network.
It also doesn't result in address lookups failing because people
sign their zones.
DNS64 still results in a CGN (NAT64) for IPv4 traffic.
DS-Lite still results in a CGN for IPv4 traffic.
There has to be a gateway but the cute thing with DNS64 is that the gateway
can be provided in the destination network rather than having to be at the
source network. So the model is actually rather more powerful than carrier
grade NAT.