DNS64 draft-bagnulo-behave-dns64-01

1
DNS64draft-bagnulo-behave-dns64-01

• m. bagnulo, P. Matthews, I. van Beijnum, A.
  Sullivan, M. Endo
• IETF 73 - Vancouver

2
Application scenario
DNS64
NAT64
IPv6 Only host
IPv4 Only Host

• Communications initiated by the v6-only host
• No support for communications initiated by the v4
  only side without previous action from the v6
  side (i.e. No support for v6 only servers, beyond
  the creation of static mappings)
• No changes required in any host for basic
  functionality
• Supports communications initiated using the FQDN
  (of the v4 node) using DNS64

3
Application scenario refinedAn-IPv6-network-to-
IPv4-Internet
DNS64
NAT64
IPv6 Only host
IPv4 Only Host
IPv6 end site or IPv6 end site and IPv6 ISP
IPv4 Internet
4
Application scenario refinedIPv6-Internet-to-an
-IPv4-network
DNS64
NAT64
IPv6 Only host
IPv4 Only Host
IPv6 Internet
IPv4 end site
5
DNS64 function location

• DNS64 can be located
• In the local name server
• Simplifies deployment
• Supports legacy hosts
• In the end host
• Enables additional features e.g. Validating
  stub-resolver

6
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
7
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
AAAA RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
8
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
enpty
DNS
AAAA RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
9
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
A RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
10
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
IP4
DNS
A RR for FQDN(H4) ?
v4
NAT64
AAAA RR for FQDN(H4) ?
IPT
H4 IP4
v6
H6 IP6
11
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
Synthetizes AAAA RR as Pref/96IPv4
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
12
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
v4
NAT64
AAAA RR PrefIP4
IPT
H4 IP4
v6
H6 IP6
13
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
Src IP6,s Dest PrefIP4,d
14
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
IP6,slt-gtT,t
15
OverviewAn-IPv6-network-to-IPv4-InternetDNS64
in the local name server
DNS64
DNS
v4
NAT64
IPT
H4 IP4
v6
H6 IP6
Src T,t Dest IP4,d
16
A couple of design questions
17
Tagging Synthetic AAAA RR

• When AAAA RR are synthesized by other than the
  auhtoritative server, different DNS64 can
  synthesize different AAAA RR
• Different answers for the same fqdn depending on
  the part of the topology
• Question Does it make sense to tag these as
  synthetic?

18
How to tag synthetic AAAA RR?

• IF we decide to tag synthetic RR, how should we
  do that?
• New RR AAASYNT
• We would have to synthesize BOTH the AAAA RR and
  the new AAAASYNT RR
• The DNS response includes the synthetic AAAA RR
  and the AAAASYNT RR in the additional information
• Updated apps can query directly for AAAASYNT RR
• EDNS0 option
• Add the ENDS0 option when the AAAA RR contained
  in the answer is synthetic
• Limitation is that the marks only the transport

19
DNSSEC support

• An-IPv6-network-to-IPv4-Internet case
• Difficulty is how to validate data when the DNS64
  is synthesizing RR for other domains
• IPv6-Internet-to-An-IPv4-network
• Auhtoritative server synthezising AAAA RR
• Main difficulties is when to sign the new RR

20
DNSSEC support

• Rso security-oblivious server working in
  recursive mode
• Rsa security-aware server working in recursive
  mode
• Rsav validating security-aware recursive name
  server
• Rsan validating security-aware recursive name
  server
• The recursive server is also performing DNS64.

21
DNSSEC casesAn-IPv6-network-to-IPv4-Internet
case
DO set, CD reset DO set, CD SET
Rso No support from the server Similar to non DNS64 case No support from the server Similar to non DNS64 case
Rsan Hand back data as normal Similar to case Rso? Needs to pass all the data for validation back to the initator (No synthetic RR can be passed here!) DNS64 server mode not supported, DNS64 end host mode ok
Rsav Rsav validates the data. If it fails, it returns RCODE 2 (SERVFAIL) otherwise, it returns the answer. DNS64-in-the-server mode Rsav validates the data, and then synthesizes the new record and passes that to the client. Same than Rsan case above
22
Proposed behaviour (I)An-IPv6-network-to-IPv4-Int
ernet case

• If CD is not set and DO is not set, the server
  SHOULD perform validation and do any translation
  it wants. The DNS64 functionality MAY translate
  the A record to AAAA.
• DNS64 server mode
• If CD is not set and DO is set, then it SHOULD
  perform validation. If the data validates, the
  server MAY perform translation, but it MUST NOT
  set the AD bit. If the data does not validate, it
  MUST respond with RCODE2 (server failure).
• DNS64 server mode

23
Proposed behaviour (II)An-IPv6-network-to-IPv4-In
ternet case

• If the CD is set and DO is set, then it SHOULD
  NOT perform validation, and it SHOULD NOT perform
  translation. It SHOULD hand the data back to the
  query initiator, just like a regular recursing
  server, and depend on the client to do the
  validation and the translation itself.
• DNS end host mode

24
DNSSEC IPv6-Internet-to-An-IPv4-network

• When is the synthesis performed?
• If done when the query is received, can we sign
  the RR on the fly?
• How this interacts with DynDNS?

25
Questions?