On Thu, Dec 4, 2014 at 10:02 PM, George Michaelson <ggm@xxxxxxxxxxxx> wrote:
Hang on.. the deployment of DNSSEC backed applications is a bit iffy if we depend on deployment of DNS based tricks to cover for V4/V6 interoperation surely?
Not at all.
If it isn't a public key or a security policy, an application has absolutely no reason to validate DNSSEC chains. Since an A or AAAA record isn't pointing to an authenticated endpoint, authentication at the client is spurious.
There is value in validating A, AAAA etc. records at the resolver and there is value in validating TLSA records at the application.
This is why we need DPRIV to provide authentication of the connection between the client and its trusted resolver.
On Thu, Dec 4, 2014 at 11:07 PM, Mark Andrews <marka@xxxxxxx> wrote:
In message <CAKr6gn1e+Cq6v_eoPMFOpGmffX5jMeTzym3Q0DSD37zL649yhA@xxxxxxxxxxxxxx>
, George Michaelson writes:
>
> Hang on.. the deployment of DNSSEC backed applications is a bit iffy if we
> depend on deployment of DNS based tricks to cover for V4/V6 interoperation
> surely?
>
> -G
Agreed but people still seemed to want it despite it breaking DNSSEC.
They seemed to think that it was the only way to get to IPv6 only
which is isn't. DS-Lite host mode will get you to a IPv6 network.
It also doesn't result in address lookups failing because people
sign their zones.
DNS64 still results in a CGN (NAT64) for IPv4 traffic.
DS-Lite still results in a CGN for IPv4 traffic.
There has to be a gateway but the cute thing with DNS64 is that the gateway can be provided in the destination network rather than having to be at the source network. So the model is actually rather more powerful than carrier grade NAT.