1 / 25

DNS64 draft-bagnulo-behave-dns64-01

DNS64 draft-bagnulo-behave-dns64-01. m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis. Application scenario. DNS64. NAT64. IPv6 Only host. IPv4 Only Host. Communications initiated by the v6-only host

jaron
Download Presentation

DNS64 draft-bagnulo-behave-dns64-01

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS64draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis

  2. Application scenario DNS64 NAT64 IPv6 Only host IPv4 Only Host • Communications initiated by the v6-only host • No support for communications initiated by the v4 only side without previous action from the v6 side (i.e. No support for v6 only servers, beyond the creation of static mappings) • No changes required in any host for basic functionality • Supports communications initiated using the FQDN (of the v4 node) using DNS64

  3. Application scenario – refinedAn-IPv6-network-to-IPv4-Internet DNS64 NAT64 IPv6 Only host IPv4 Only Host IPv6 end site or IPv6 end site and IPv6 ISP IPv4 Internet

  4. Application scenario – refinedIPv6-Internet-to-an-IPv4-network DNS64 NAT64 IPv6 Only host IPv4 Only Host IPv6 Internet IPv4 end site

  5. DNS64 function location • DNS64 can be located: • In the local name server • Simplifies deployment • Supports legacy hosts • In the end host • Enables additional features e.g. Validating stub-resolver

  6. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS v4 NAT64 AAAA RR for FQDN(H4) ? IPT H4 IP4 v6 H6 IP6

  7. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS AAAA RR for FQDN(H4) ? v4 NAT64 AAAA RR for FQDN(H4) ? IPT H4 IP4 v6 H6 IP6

  8. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 enpty DNS AAAA RR for FQDN(H4) ? v4 NAT64 AAAA RR for FQDN(H4) ? IPT H4 IP4 v6 H6 IP6

  9. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS A RR for FQDN(H4) ? v4 NAT64 AAAA RR for FQDN(H4) ? IPT H4 IP4 v6 H6 IP6

  10. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 IP4 DNS A RR for FQDN(H4) ? v4 NAT64 AAAA RR for FQDN(H4) ? IPT H4 IP4 v6 H6 IP6

  11. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server Synthetizes AAAA RR as Pref::/96+IPv4 DNS64 DNS v4 NAT64 IPT H4 IP4 v6 H6 IP6

  12. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS v4 NAT64 AAAA RR Pref:IP4 IPT H4 IP4 v6 H6 IP6

  13. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS v4 NAT64 IPT H4 IP4 v6 H6 IP6 Src: IP6,s Dest: Pref:IP4,d

  14. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS v4 NAT64 IPT H4 IP4 v6 H6 IP6 IP6,s<->T,t

  15. OverviewAn-IPv6-network-to-IPv4-InternetDNS64 in the local name server DNS64 DNS v4 NAT64 IPT H4 IP4 v6 H6 IP6 Src: T,t Dest: IP4,d

  16. A couple of design questions

  17. Tagging Synthetic AAAA RR • When AAAA RR are synthesized by other than the auhtoritative server, different DNS64 can synthesize different AAAA RR • Different answers for the same fqdn depending on the part of the topology • Question: Does it make sense to tag these as synthetic? • Feedback from DNSext • You can do this, but not needed from DNS perspective

  18. DNSSEC support • An-IPv6-network-to-IPv4-Internet case • Difficulty is how to validate data when the DNS64 is synthesizing RR for other domains • IPv6-Internet-to-An-IPv4-network • Auhtoritative server synthezising AAAA RR • Main difficulties is when to sign the new RR

  19. DNSSEC: An-IPv6-network-to-IPv4-Internet case • Proposal: • Include the A RR information in the response that contains the synthetic AAAA RR • Similar behaviour of DNAME • Validating, Translation aware stub resolver can use the A RR DNSSEC information to validate the synthetic AAAA RR • Validating translation-oblivious stub resolver behind a translator is not supported.

  20. DNSSEC IPv6-Internet-to-An-IPv4-network • When is the synthesis performed? • If done when the query is received, can we sign the RR on the fly? • How this interacts with DynDNS? • Feedback from DNSext: • Synthesis is to be performed upon the reception of the DynDNs update • Generating and signing when query is received is not possible • Key may be offline

  21. Questions?

  22. DNSSEC support • Rso: security-oblivious server working in recursive mode • Rsa: security-aware server working in recursive mode • Rsav: validating security-aware recursive name server • Rsan: non validating security-aware recursive name server • The recursive server is also performing DNS64.

  23. DNSSEC casesAn-IPv6-network-to-IPv4-Internet case

  24. Proposed behaviour (I)An-IPv6-network-to-IPv4-Internet case • If CD is not set and DO is not set, the server SHOULD perform validation and do any translation it wants. The DNS64 functionality MAY translate the A record to AAAA. • DNS64 server mode • If CD is not set and DO is set, then it SHOULD perform validation. If the data validates, the server MAY perform translation, but it MUST NOT set the AD bit. If the data does not validate, it MUST respond with RCODE=2 (server failure). • DNS64 server mode

  25. Proposed behaviour (II)An-IPv6-network-to-IPv4-Internet case • If the CD is set and DO is set, then it SHOULD NOT perform validation, and it SHOULD NOT perform translation. It SHOULD hand the data back to the query initiator, just like a regular recursing server, and depend on the client to do the validation and the translation itself. • DNS end host mode

More Related