On 18 aug 2010, at 13.31, Ralph Droms wrote:

> Andrew, Directorate - I've been asked again by the IESG for a Directorate review of this document.  I need a volunteer to read and comment as soon as possible.  Thanks.

Here are my comments on the draft:

In the introduction:

>   These mechanisms are expected to play a critical role in the IPv4-
>   IPv6 transition and co-existence.  Due to IPv4 address depletion, it
>   is likely that in the future, many IPv6-only clients will want to
>   connect to IPv4-only servers.  In the typical case, the approach only
>   requires the deployment of IPv6/IPv4 translators that connect an
>   IPv6-only network to an IPv4-only network, along with the deployment
>   of one or more DNS64-enabled name servers.  However, some advanced
>   features require performing the DNS64 function directly in the end-
>   hosts themselves.

I do not like words like "advanced" in texts like these. Why is for example "validation of DNSSEC records in the end host resolver" to be "advanced"?

In the non-normative section, the following important information exists:

>   (NOTE: By IPv6-only hosts we mean hosts running IPv6-only
>   applications, hosts that can only use IPv6, as well as cases where
>   only IPv6 connectivity is available to the client.  By IPv4-only
>   servers we mean servers running IPv4-only applications, servers that
>   can only use IPv4, as well as cases where only IPv4 connectivity is
>   available to the server).


> 3.  Background to DNS64-DNSSEC interaction

As section 2 explicitly is non-normative, is section 3 normative as it is not say that it is not?

>   Here are the possible cases:

I think personally it would be better to, for each of the alternatives, compare the DNS64 impact on resolver and server than list (again) a more comprehensive DNSSEC behaviour list like this. But that is a personal opinion.

>   1.  A DNS64 (DNSSEC-aware or DNSSEC-oblivious) receives a query with
>       the DO bit clear.  In this case, DNSSEC is not a concern, because
>       the querying agent does not understand DNSSEC responses.

Should not it be mentioned that the DNS64, if being a DNS64 resolver, very well can do validation of the response, and act according to local policy? Similar to a case 5, but with local policy?

>   4.  A security-aware and non-validating DNS64 receives a query with
>       the DO bit set and the CD bit set.  In this case, the resolver is

What is "resolver" in this sentence? Looks to me that this is written only for the "DNS64 resolver" cases and not the DNS64 server case?

>       supposed to pass on all the data it gets to the query initiator
>       (see section 3.2.2 of [RFC4035]).  This case will not work with
>       DNS64, unless the validating resolver is prepared to do DNS64
>       itself.  If the DNS64 server modifies the record, the client will

Here one say "DNS64 server" and claim that it "modifies" the record. I do not understand what "modifies" implies at an authoritative server, as for me whatever comes from an authoritative server is the authoritative record. There is nothing that is modified. The records (the AAAA records) can in the case of a DNS64 server very well be signed AAAA records that are very stable and never changed. I.e. pre-populated in the zone and not at all something that is synthesized, and signed!

>       get the data back and try to validate it, and the data will be
>       invalid as far as the client is concerned.
> 
>   5.  A security-aware and validating DNS64 node receives a query with

Here is a new term, DNS64 node. Is that the same as "a DNS64" earlier, i.e. one of the three cases? I think in reality it is one of the "DNS64 resolver" cases one talk about here, and not "DNS64 server".

>       the DO bit clear and CD clear.  In this case, the resolver
>       validates the data.  If it fails, it returns RCODE 2 (Server
>       failure); otherwise, it returns the answer.  This is the ideal
>       case for vDNS64.  The resolver validates the data, and then
>       synthesizes the new record and passes that to the client.  The
>       client, which is presumably not validating (else it should have
>       set DO and CD), cannot tell that DNS64 is involved.
> 
>   6.  A security-aware and validating DNS64 node receives a query with

See comment above about "DNS64 node".

>       the DO bit set and CD clear.  This works like the previous case,
>       except that the resolver should also set the "Authentic Data"
>       (AD) bit on the response.
> 
>   7.  A security-aware and validating DNS64 node receives a query with

See comment above about "DNS64 node".

>       the DO bit set and CD set.  This is effectively the same as the
>       case where a security-aware and non-validating recursive resolver
>       receives a similar query, and the same thing will happen: the
>       downstream validator will mark the data as invalid if DNS64 has
>       performed synthesis.  The node needs to do DNS64 itself, or else
>       communication will fail.

> 4.  Terminology

I presume this is normative section. See comment above.

>   Authoritative server:  A DNS server that can answer authoritatively a
>      given DNS question.

Is "question" the correct term? I ask...

I try to say "Respond authoritatively to a DNS request" but I also know that some people do think it is a good thing to say query/answer when it explicitly is a query we talk about.

>   DNS64:  A logical function that synthesizes DNS resource records (e.g
>      AAAA records containing IPv6 addresses) from DNS resource records
>      actually contained in the DNS (e.g., A records containing IPv4
>      addresses).

Does it have to be synthesized? Also if it is a DNS64 server?

>   DNS64 recursor:  A recursive resolver that provides the DNS64
>      functionality as part of its operation.  This is the same thing as
>      "DNS64 in recursive resolver mode".

Above, in the non-normative section, this was called "DNS64 resolver" as well. Is "DNS64 recursor" a subset of "DNS resolver"? If it is, should not "DNS64 stub" also be defined?

>   DNS64 resolver:  Any resolver (stub resolver or recursive resolver)
>      that provides the DNS64 function.
> 
>   DNS64 server:  Any server providing the DNS64 function.

Authoritative server, or also resolvers?

>   Recursive resolver:  A DNS server that accepts requests from one
>      resolver, and asks another server (of some description) for the
>      answer on behalf of the first resolver.

Is this the same definition as in other documents?

>   Synthetic RR:  A DNS resource record (RR) that is not contained in
>      any zone data file, but has been synthesized from other RRs.  An
>      example is a synthetic AAAA record created from an A record.

Mumble, is "zone data file" a good wording? Should one not talk about "generated on request" instead? Maybe it is the best wording? Although some records might be in a database, and not at all in a file.

>   IPv6/IPv4 translator:  A device that translates IPv6 packets to IPv4
>      packets and vice-versa.  It is only required that the
>      communication initiated from the IPv6 side be supported.

> 5.  DNS64 Normative Specification

Here suddenly the normative part comes...

>   DNS64 is a logical function that synthesizes AAAA records from A
>   records.  The DNS64 function may be implemented in a stub resolver,
>   in a recursive resolver, or in an authoritative name server.

In an authoritative server they do not have to be synthesized.

>   DNS64 also responds to PTR queries involving addresses containing any
>   of the IPv6 prefixes it uses for synthesis of AAAA RRs.

> 5.1.2.  The answer when there is an error
> 
>   If the query results in a response with RCODE other than 0 (No error
>   condition), then there are two possibilities.  A result with RCODE=3
>   (Name Error) is handled according to normal DNS operation (which is
>   normally to return the error to the client).  This stage is still
>   prior to any synthesis having happened, so a response to be returned
>   to the client does not need any special assembly than would usually
>   happen in DNS operation.
> 
>   Any other RCODE is treated as though the RCODE were 0 and the answer
>   section were empty.

Maybe a reference to 5.1.6/5.1.7 (see below) here.

> 5.1.4.  Special exclusion set for AAAA records

This section is confusing, as other 5.1.* sections are alternatives. I.e. "issue an AAAA query, and do the following if this happens". Specifically as 5.1.4 is before 5.1.6 which is another alternative parallel to for example 5.1.2.

I.e. I think it would be better if the document was like this (not critical though):

5. Behaviour

5.1. Queries for AAAA

Issue a query for AAAA, and behave like the following:

5.1.1. A non-empty answer section, where the AAAA is not in the special range

5.1.2. A non-empty answer section, where the AAAA is in the special range

5.1.3. A non-empty answer section, with CNAME or DNAME

5.1.4. An answer with Errcode 3

5.1.5. Other errcodes

I.e. like a flowchart. One of the subsections matches. That makes it easier to know what to do and how to implement.

> 5.1.6.  Data for the answer when performing synthesis
:
> 5.1.7.  Performing the synthesis

5.1.6 and 5.1.7 should really be merged, and the section should be "errcode != 3 and an empty answer section"

>   o  The TTL field is set to the minimum of the TTL of the original A
>      RR and the SOA RR for the queried domain.  (Note that in order to
>      obtain the TTL of the SOA RR, the DNS64 does not need to perform a
>      new query, but it can remember the TTL from the SOA RR in the
>      negative response to the AAAA query.  If the SOA RR was not
>      delivered with the negative response to the AAAA query, then the
>      DNS64 SHOULD use a default value of 600 seconds.

Not really...it should be the smallest of 600 and the TTL for the A, right?

>      It is possible
>      instead to query explicitly for the SOA RR and use the result of
>      that query, but this will increase query load and time to
>      resolution for little additional benefit.)  This is in keeping
>      with the approach used in negative caching ([RFC2308]

Why not just stop after saying it should be the smallest of the TTL of the A and the SOA, and then let the rest be up to the implementor? I am nervous over more "fixed default values" for negative caching. If the SOA was not returned, then the DNS64 have to query for it.

>   o  The RDLENGTH field is set to 16
> 
>   o  The RDATA field is set to the IPv6 representation of the IPv4
>      address from the RDATA field of the A record.  The DNS64 SHOULD
>      check each A RR against configured IPv4 address ranges and select
>      the corresponding IPv6 prefix to use in synthesizing the AAAA RR.

Why only a SHOULD? And, is this not an implementation issue?

If you look at the specification of DNS64, the DNS64 MUST synthesize an AAAA record according to local policy.

And then reference 5.2 for discussion about policy/algorithms?

>      See Section 5.2 for discussion of the algorithms to be used in
>      effecting the transformation.

> 5.1.8.  Querying in parallel
> 
>   The DNS64 MAY perform the query for the AAAA RR and for the A RR in
>   parallel, in order to minimize the delay.  However, this would result
>   in performing unnecessary A RR queries in the case where no AAAA RR
>   synthesis is required.

Why is this "however" listed in a normative specification?

>   A possible trade-off would be to perform them
>   sequentially but with a very short interval between them, so if we
>   obtain a fast reply, we avoid doing the additional query.  (Note that
>   this discussion is relevant only if the DNS64 function needs to
>   perform external queries to fetch the RR.  If the needed RR
>   information is available locally, as in the case of an authoritative
>   server, the issue is no longer relevant.)

Everything from "However..." can be deleted.

There is nothing in 5.1 (what to do when querying for AAAA records) about the additional or authoritative section.

> 5.2.  Generation of the IPv6 representations of IPv4 addresses

Should not queries for other RR Types be in 5.2, and this be part of the "synthesizing responses" above, or some other section?

> 5.3.  Handling other Resource Records and the Additional Section
> 
> 5.3.1.  PTR Resource Record
> 
>   If a DNS64 server receives a PTR query for a record in the IP6.ARPA
>   domain, it MUST strip the IP6.ARPA labels from the QNAME, reverse the
>   address portion of the QNAME according to the encoding scheme
>   outlined in section 2.5 of [RFC3596], and examine the resulting
>   address to see whether its prefix matches any of the locally-
>   configured Pref64::/n.

...or the default well known prefix (that was not to be configured).

>   There are two alternatives for a DNS64 server

What about DNS64 resolvers that receive PTR queries?

>   2.  The second option is for the DNS64 nameserver to synthesize a
>       CNAME mapping the IP6.ARPA namespace to the corresponding IN-
>       ADDR.ARPA name.

Is this safe? I.e. it is clear no other RR Type than PTR exists with this owner?

See Apple Bonjour for example.

A query for a PTR record might not have owner in the IP6.ARPA, so 5.3.1 is really for PTR records in the IP6.ARPA domain. What about other PTR queries?

I guess the answer is here:

>   If the address prefix does not match any Pref64::/n, then the DNS64
>   server MUST process the query as though it were any other query; i.e.
>   a recursive nameserver MUST attempt to resolve the query as though it
>   were any other (non-A/AAAA) query, and an authoritative server MUST
>   respond authoritatively or with a referral, as appropriate.

No other RR Types need special treatment?

I.e. the flow is weird here as well in the document. Because other RR Types comes as 5.3.3.

> 5.3.2.  Handling the additional section
> 
>   DNS64 synthesis MUST NOT be performed on any records in the
>   additional section of synthesized answers.  The DNS64 MUST pass the
>   additional section unchanged.

The normative part of 5.3.2 should stop here. Remove the rest or move to non-normative section of this document.

> 5.4.  Assembling a synthesized response to a AAAA query

Here we have some text on how to do synthesis again?

Should not this be part of 5.1 that is about AAAA?

> 5.5.  DNSSEC processing: DNS64 in recursive resolver mode
> 
>   We consider the case where a recursive resolver that is performing
>   DNS64 also has a local policy to validate the answers according to
>   the procedures outlined in [RFC4035] Section 5.  We call this general
>   case vDNS64.

Then this is really:

5.5. DNSSEC processing: DNS64 in validating recursive resolver

>   The vDNS64 uses the presence of the DO and CD bits to make some
>   decisions about what the query originator needs, and can react
>   accordingly:
> 
>   1.  If CD is not set and DO is not set, vDNS64 SHOULD perform
>       validation and do synthesis as needed.  See the next item for
>       rules about how to do validation and synthesis.  In this case,
>       however, vDNS64 MUST NOT set the AD bit in any response.
> 
>   2.  If CD is not set and DO is set, then vDNS64 SHOULD perform
>       validation.  Whenever vDNS64 performs validation, it MUST
>       validate the negative answer for AAAA queries before proceeding
>       to query for A records for the same name, in order to be sure
>       that there is not a legitimate AAAA record on the Internet.
>       Failing to observe this step would allow an attacker to use DNS64
>       as a mechanism to circumvent DNSSEC.  If the negative response
>       validates, and the response to the A query validates, then the
>       vDNS64 MAY perform synthesis and SHOULD set the AD bit in the
>       answer to the client.  This is acceptable, because [RFC4035],
>       section 3.2.3 says that the AD bit is set by the name server side
>       of a security-aware recursive name server if and only if it
>       considers all the RRSets in the Answer and Authority sections to
>       be authentic.  In this case, the name server has reason to
>       believe the RRSets are all authentic, so it SHOULD set the AD
>       bit.  If the data does not validate, the vDNS64 MUST respond with
>       RCODE=2 (Server failure).
>       A security-aware end point might take the presence of the AD bit
>       as an indication that the data is valid, and may pass the DNS
>       (and DNSSEC) data to an application.  If the application attempts
>       to validate the synthesized data, of course, the validation will
>       fail.  One could argue therefore that this approach is not
>       desirable, but security aware stub resolvers must not place any
>       reliance on data received from resolvers and validated on their
>       behalf without certain criteria established by [RFC4035], section
>       4.9.3.  An application that wants to perform validation on its
>       own should use the CD bit.

Too much discussion. And (for example) last sentence have "should" in lower case. What does that imply?

Stay with what is normative. Move discussions and non-normative stuff to some other section.

>   3.  If the CD bit is set and DO is set, then vDNS64 MAY perform
>       validation, but MUST NOT perform synthesis.  It MUST return the
>       data to the query initiator, just like a regular recursive
>       resolver, and depend on the client to do the validation and the
>       synthesis itself.
>       The disadvantage to this approach is that an end point that is
>       translation-oblivious but security-aware and validating will not
>       be able to use the DNS64 functionality.  In this case, the end
>       point will not have the desired benefit of NAT64.  In effect,
>       this strategy means that any end point that wishes to do
>       validation in a NAT64 context must be upgraded to be translation-
>       aware as well.

(Re)move second paragraph.

> 6.  Deployment notes

Normative?

> 7.  Deployment scenarios and examples
> 

>   In this section, we walk through some sample scenarios that are
>   expected to be common deployment cases.  It should be noted that this
>   is provided for illustrative purposes and this section is not
>   normative.

Good.

> 8.  Security Considerations
> 
>   DNS64 operates in combination with the DNS, and is therefore subject
>   to whatever security considerations are appropriate to the DNS mode
>   in which the DNS64 is operating (i.e. authoritative, recursive, or
>   stub resolver mode).
> 
>   DNS64 has the potential to interfere with the functioning of DNSSEC,
>   because DNS64 modifies DNS answers, and DNSSEC is designed to detect
>   such modification and to treat modified answers as bogus.  See the
>   discussion above in Section 3, Section 5.5, and Section 6.2.

It should be noted what might happen if the translator between IPv4 and IPv6 is not in sync with this box.

Additionally:

There is no text on how to handle the query and additional section of the request/response.

  Patrik