Hi, responses inline.
> On Tue, Jun 12, 2018 at 11:16 PM Mark Andrews <ma...@isc.org
> <mailto:ma...@isc.org>> wrote:
>
> This does not meet my requirements. There is zero need for any part of the
> normal DNS resolution
> process to know the IPV4ONLY.ARPA is special if IANA stopped signing the zone.
Could you take a look at draft-cheshire-sudn-ipv4only-dot-arpa please? It
explains why some parts of the DNS resolution process do need to treat
ipv4only.arpa as special, regardless of DNSSEC.
> On Jun 13, 2018, at 19:19, Warren Kumari <war...@kumari.net> wrote:
>
> I read that a few times, and even when squinting I cannot figure out how that
> is supposed to work. Can someone enlighten me? I can see how a signed
> ipv4only.arpa allows a validating DNS64 server to validate the (well known!)
> v4 addresses, but the malicious AAAA RR detection bit confuses me...
I agree, there is no point in signing the A records for ipv4only.arpa since
they are well-known, and for the same reason there is no point in checking it.
So having A records signed or unsigned is irrelevant since no one should be
querying for these A records anyway. Similarly, since the whole purpose of the
AAAA records for ipv4only.arpa is to be overridden by a DNS64 recursive
resolver which is not owned by .arpa, checking signatures will not validate
anything useful.
I agree with Mark's point that queries will fail when the client is behind a
validating resolver that has no special knowledge of ipv4only.arpa.
To resolve this, we'll update draft-cheshire-sudn-ipv4only-dot-arpa to mention
that ipv4only.arpa MUST NOT be signed.
Thanks,
David
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop