[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

v6ops-nat64-pb-statement-req: DNSSEC requirement

To: v6ops@ops.ietf.org
Subject: v6ops-nat64-pb-statement-req: DNSSEC requirement
From: Thomas Narten <narten@us.ibm.com>
Date: Tue, 22 Jul 2008 17:20:10 -0400

draft-ietf-v6ops-nat64-pb-statement-req-00.txt says:

>    R10: DNSSec support
> 
>    DNSSec support MUST NOT be prevented.
>    o  R10.1: In particular, if an IPv6 node is initiating a
>       communication with an IPv4 that is located behind a translator,
>       the IPv6 initiator MUST be able to perform DNSSec verification of
>       the DNS information of the IPv4 target. (strong consensus on this
>       one).


>    o  R10.2: In particular, if an IPv4 node is initiating a
>       communication with an IPv6 that is located behind a translator,
>       the IPv4 initiator MUST be able to perform DNSSec verification of
>       the DNS information of the IPv4 target.  This may require the
>       modification of the IPv4 node as well. (not clear if there
>       consensus on this one)

Maybe I don't understand what the above means, but it seems to me to
be unworkable. I.e., If an IPv6 node requests an AAAA record for an
IPv4-only node, there won't be a AAAA record and it will need to be
synthesized. By definition, such a synthesized DNS RR won't be
verifiable via DNSSEC because it is in fact an unauthorized
fabrication.

What am I missing here?

Thomas

Follow-Ups:
- Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: New (-02) version of IPv6 CPE Router draft is available for review
Next by Date: v6ops-nat64-pb-statement-req: IPsec requirement
Previous by thread: Comments on draft-thaler-v6ops-teredo-extensions-01
Next by thread: Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
Index(es):
- Date
- Thread