idnits 2.17.1 

draft-bp-v6ops-ipv6-ready-dns-dnssec-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (October 10, 2018) is 2026 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	v6ops                                                           C. Byrne
3	Internet-Draft                                              T-Mobile USA
4	Intended status: Informational                         J. Palet Martinez
5	Expires: April 13, 2019                                 The IPv6 Company
6	                                                        October 10, 2018

8	                 IPv6-Ready DNS/DNSSSEC Infrastructure
9	                draft-bp-v6ops-ipv6-ready-dns-dnssec-00

11	Abstract

13	   This document defines the timing for implementing a worldwide
14	   IPv6-Ready DNS and DNSSEC infrastructure, in order to facilitate the
15	   global IPv6-only deployment.

17	   A key issue for this, is the need for a global support of DNSSEC and
18	   DNS64, which in some scenarios do not work well together.  This
19	   document states that any DNSSEC signed resources records should
20	   include a native IPv6 resource record as the most complete and
21	   expedient path to solve any deployment conflict with DNS64 and DNSSEC

23	Status of This Memo

25	   This Internet-Draft is submitted in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF).  Note that other groups may also distribute
30	   working documents as Internet-Drafts.  The list of current Internet-
31	   Drafts is at https://datatracker.ietf.org/drafts/current/.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   This Internet-Draft will expire on April 13, 2019.

40	Copyright Notice

42	   Copyright (c) 2018 IETF Trust and the persons identified as the
43	   document authors.  All rights reserved.

45	   This document is subject to BCP 78 and the IETF Trust's Legal
46	   Provisions Relating to IETF Documents
47	   (https://trustee.ietf.org/license-info) in effect on the date of
48	   publication of this document.  Please review these documents
49	   carefully, as they describe your rights and restrictions with respect
50	   to this document.  Code Components extracted from this document must
51	   include Simplified BSD License text as described in Section 4.e of
52	   the Trust Legal Provisions and are provided without warranty as
53	   described in the Simplified BSD License.

55	Table of Contents

57	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
58	   2.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
59	   3.  The Conflict Between DNS64 and DNSSEC . . . . . . . . . . . .   3
60	   4.  Resolving the DNS64 and DNSSEC Conflict by Requiring AAAA . .   3
61	   5.  Ensuring a smooth IPv4-IPv6 transition by Requiring AAAA  . .   4
62	   6.  Definition of IPv6-Ready DNS/DNSSEC Infrastructure  . . . . .   4
63	   7.  Implementation timing . . . . . . . . . . . . . . . . . . . .   4
64	   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
65	   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
66	   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
67	   11. Normative References  . . . . . . . . . . . . . . . . . . . .   5
68	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

70	1.  Introduction

72	   One of the main issues to ensure the best path for the IPv4 to IPv6
73	   transition and the support of an IPv6-only Internet, is to ensure
74	   that all the services remain accessible by means of DNS.

76	   One of the alternatives is the use of NAT64 ([RFC6146]) and DNS64
77	   ([RFC6147]), sometimes by means 464XLAT ([RFC6877]), which will help
78	   to ensure that, when a network or part of it, becomes IPv6-only,
79	   still can have access to IPv4-only resources.

81	   DNS64 ([RFC6147]) is a widely deployed technology allowing hundreds
82	   of millions of IPv6-only hosts/networks to reach IPv4-only resources.
83	   DNSSEC is a technology used to validate the authenticity of
84	   information in the DNS, however, as DNS64 ([RFC6147]) modifies DNS
85	   answers and DNSSEC is designed to detect such modifications, DNS64
86	   ([RFC6147]) can break DNSSEC in some circumstances.

88	   Furthermore, the deployment of those transition mechanisms means that
89	   the cost of the transition is on the back of the service provider,
90	   because the investment required in the devices that take care of that
91	   transition services and the support of the helpdesks to resolve
92	   issues.  So in the end, all that cost is indirectly charged to the
93	   end-user, which is unfair.

95	   It seems obvious that should not be that way, and the end-goal is a
96	   situation where we get rid-off IPv4-only services, and meanwhile, the
97	   cost borne by the IPv4 laggards operating those services.

99	   This document provides the steps to be able to tackle that situation
100	   and advance with the global IPv6 deployment in a fair way.

102	   The document also states that the most complete and expedient path to
103	   avoid any negative interactions is, for the DNSSEC signed resources,
104	   to always include IPv6 AAAA resources records.  As stated in
105	   [RFC6540], IPv6 [RFC8200] is not optional and failing to support IPv6
106	   may result in failure to communicate on the Internet, especially when
107	   DNSSEC signed IPv4-only resources are present.

109	2.  Requirements Language

111	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
112	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
113	   "OPTIONAL" in this document are to be interpreted as described in BCP
114	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
115	   capitals, as shown here.

117	3.  The Conflict Between DNS64 and DNSSEC

119	   DNS64 ([RFC6147]) is a key part of widely deployed IPv6-only
120	   transition mechanism such as 464XLAT ([RFC6877]) and Happy Eyeballs
121	   version 2 ([RFC8305]).  Currently, hundreds of millions of hosts rely
122	   on DNS64 ([RFC6147]) for access to the Internet.  A core function of
123	   DNS64 ([RFC6147]) is generating an inauthentic AAAA DNS record when
124	   an authentic AAAA DNS record for a host is not available from the
125	   authoritative nameserver.  DNSSEC's fundamental feature is detecting
126	   and denying inauthentic DNS resource records.  While DNS64
127	   ([RFC6147]) outlines may work in harmony with DNSSEC, the
128	   preconditions may not always exist for harmony to be achieved.

130	4.  Resolving the DNS64 and DNSSEC Conflict by Requiring AAAA

132	   DNS64 ([RFC6147]) and DNSSEC are both important components of the
133	   current and future Internet.  The limitation for how these protocols
134	   interact is unlikely to changes.  Deploying DNSSEC and IPv6 are both
135	   commonly achievable for a typical Internet system operator using
136	   their own systems or using a third-party service.  The resolution to
137	   the DNS64 ([RFC6147]) and DNSSEC conflict is to simply deploy both,
138	   IPv6 and DNSSEC in tandem.

140	   Deploying DNSSEC signed IPv4 resources records without matching IPv6
141	   records is a risk and not recommend.

143	   Ultimately, this guidance is simply restating [RFC6540], that IPv6 is
144	   mandatory for all Internet systems.

146	5.  Ensuring a smooth IPv4-IPv6 transition by Requiring AAAA

148	   Similarly, to what is stated in the precedent section for DNS64
149	   ([RFC6147]) and DNSSEC, a smoother and less painful transition from
150	   IPv4 to IPv6, and the succesful deployment of an IPv6-only Internet,
151	   can be facilitated by requiring AAAA resource records at every DNS
152	   instance.

154	6.  Definition of IPv6-Ready DNS/DNSSEC Infrastructure

156	   In the context of this document, and others that may be generated as
157	   a consequence of it, "IPv6-Ready DNS/DNSSEC Infrastructure" means
158	   that a DNS/DNSSEC server (root, TLD, authoritative NS, others) is
159	   fully accessible and operational if queried either from a remote
160	   dual-stack network or an IPv6-only network.

162	   In general, that means having AAAA RRs in addition to A RRs, ensuring
163	   that PMTUD works correctly and fragmentation is correctly handled.

165	   In case DNSSEC is implemented with IPv4, it MUST support also
166	   IPv6-only operation according the above considerations.

168	7.  Implementation timing

170	   Towards the implementation of the worldwide IPv6-Ready DNS/DNSSEC
171	   infrastructure, considering that there are no excuses for a DNS
172	   operator to support IPv6, the following deadlines are defined
173	   counting since the date this document becomes an RFC:

175	   1.  All the root and TLDs MUST be IPv6-Ready in 6 months.

177	   2.  All the DNSSEC signed zones MUST be IPv6-Ready in 6 months.

179	   3.  All the authoritative NS MUST be IPv6-Ready in 12 months.

181	   4.  The remaining RRs in other DNS servers, MUST be IPv6-Ready in 18
182	       months.

184	   Probing mechanisms to verify that the relevant AAAA are fully
185	   operational MUST be setup by IANA.  If there is a failure at the
186	   deadline in complying with those requirements, the relevant NS, MUST
187	   be temporarily suspended until there is a subsequent successful
188	   verification.

190	8.  Security Considerations

192	   DNSSEC is a good security practice.  Providing AAAA DNSSEC signed
193	   records wherever a DNSSEC signed A record is used ensures the most
194	   effective use of DNSSEC.

196	9.  IANA Considerations

198	   IANA and ICANN are instructed by means of this document, to take the
199	   relevant measures for ensuring the steps towards the above indicated
200	   implementation timing.

202	   It is suggested that frequent warnings are provided to the relevant
203	   stakeholders, in advance to each of the deadlines.

205	10.  Acknowledgements

207	   The author would like to acknowledge the inputs of ... TBD.

209	11.  Normative References

211	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
212	              Requirement Levels", BCP 14, RFC 2119,
213	              DOI 10.17487/RFC2119, March 1997,
214	              <https://www.rfc-editor.org/info/rfc2119>.

216	   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
217	              NAT64: Network Address and Protocol Translation from IPv6
218	              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
219	              April 2011, <https://www.rfc-editor.org/info/rfc6146>.

221	   [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
222	              Beijnum, "DNS64: DNS Extensions for Network Address
223	              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
224	              DOI 10.17487/RFC6147, April 2011,
225	              <https://www.rfc-editor.org/info/rfc6147>.

227	   [RFC6540]  George, W., Donley, C., Liljenstolpe, C., and L. Howard,
228	              "IPv6 Support Required for All IP-Capable Nodes", BCP 177,
229	              RFC 6540, DOI 10.17487/RFC6540, April 2012,
230	              <https://www.rfc-editor.org/info/rfc6540>.

232	   [RFC6877]  Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
233	              Combination of Stateful and Stateless Translation",
234	              RFC 6877, DOI 10.17487/RFC6877, April 2013,
235	              <https://www.rfc-editor.org/info/rfc6877>.

237	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
238	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
239	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

241	   [RFC8200]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
242	              (IPv6) Specification", STD 86, RFC 8200,
243	              DOI 10.17487/RFC8200, July 2017,
244	              <https://www.rfc-editor.org/info/rfc8200>.

246	   [RFC8305]  Schinazi, D. and T. Pauly, "Happy Eyeballs Version 2:
247	              Better Connectivity Using Concurrency", RFC 8305,
248	              DOI 10.17487/RFC8305, December 2017,
249	              <https://www.rfc-editor.org/info/rfc8305>.

251	Authors' Addresses

253	   Cameron Byrne
254	   T-Mobile USA
255	   Bellevue, WA
256	   United States of America

258	   Email: Cameron.Byrne@T-Mobile.com

260	   Jordi Palet Martinez
261	   The IPv6 Company
262	   Molino de la Navata, 75
263	   La Navata - Galapagar, Madrid  28420
264	   Spain

266	   Email: jordi.palet@theipv6company.com
267	   URI:   http://www.theipv6company.com/