IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova...
Transcript of IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova...
![Page 1: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/1.jpg)
IPv6-Only and DNS[SEC|64]
Jen Linkova
RIPE72, May 2016
![Page 2: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/2.jpg)
Traditional Dual-Stack Network
![Page 3: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/3.jpg)
Taking IPv4 away….
![Page 4: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/4.jpg)
The Problem
![Page 5: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/5.jpg)
The Solution: DNS64
![Page 6: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/6.jpg)
DNS64 + DNSSEC (Validating Client)
![Page 7: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/7.jpg)
What is ‘Validating Client’?
● Security-aware resolver: accepts/understands DNSSEC security RRs.○ "DNSSEC OK" (DO) bit set to ‘1’
● Validating Resolver: performs validation using DNSSEC security RRs○ “Checking Disabled” (CD) bit
■ CD = 1 instructs server to disable validation (client will validate)
![Page 8: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/8.jpg)
DNSSEC and DNS64 AAAA Synthesis (RFC6147)
For all IPv4-only names? ….or….For DNSSEC-enabled names ONLY?
Some DNS64 MAY NOT return AAAA for IPv4-only DNSSEC-enabled names(e.g. BIND9: break-dnssec = yes)
![Page 9: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/9.jpg)
Standards vs. Implementation: DO = 1, CD = 1RFC 6147 (DNS64)
● Both DO and CD bits are set: DNS64 MUST NOT perform synthesis ○ not 100% clear if it applies if DNSSEC RRs are available or not
● Validation behind the DNS64: the validator must know how to perform the DNS64 function itself
Reality
Some DNS64 perform synthesis in the absence of DNSSEC RRs
furry@Wintermute:~>dig +dnssec +cdflag www.amazon.com aaaa +short
64:ff9b::36ef:1a80
furry@Wintermute:~>
![Page 10: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/10.jpg)
Problem Space for Validating Clients
OR
“Relaxed” DNS64 Implementations “Strict” RFC6147 Implementation
![Page 11: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/11.jpg)
In God We Trust, All Others Bring Data
Or
How Big is the Problem?
![Page 12: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/12.jpg)
IPv6 & DNSSEC Adoption (Alexa 1M)
![Page 13: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/13.jpg)
IPv6 & DNSSEC Adoption (Alexa 1M)
![Page 14: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/14.jpg)
IPv6 & DNSSEC Adoption (Alexa 1M)
IPv6 Adoption● 5.7% of all sites● 21% of DNSSEC-
enabled sites
DNSSEC Adoption● 1.7% of all sites● 6% of IPv6-enabled
sites
![Page 15: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/15.jpg)
incompatible with ANY DNS64 implementation
incompatible with strict RFC6147 DNS64 implementation
![Page 16: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/16.jpg)
Don’t Panic!...just enable IPv6...
![Page 17: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/17.jpg)
Validating Stub Resolvers & DNS64: SolutionDiscover NAT64 prefix to perform DNS64 (RFC7050)
Issue #1: If negative response for “AAAA” validates and (Do = 1 & CD = 0) DNS64 MAY perform synthesis
Issue #2: SECURITY?
![Page 18: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/18.jpg)
4
3
5
6
1
2 NAT64 prefix2001:db8::/96
RFC7050
Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis
![Page 19: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/19.jpg)
Conclusions● Non-DNS64 aware validating Client behind NAT64:
○ Failure rate ~1.3% … or 94%....● Service owners:
○ enable IPv6 (especially if DNSSEC is enabled!)● DNSSEC-aware and validating stub resolvers SHOULD
be DNS64-aware○ Discover NAT64 prefix○ Perform DNS64 function
![Page 20: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/20.jpg)
QUESTIONS?
![Page 21: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/21.jpg)
Backup Slides
![Page 22: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/22.jpg)
IPv6-enabled Sites Distribution: Alexa 1M
![Page 23: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/23.jpg)
IPv6-enabled Sites Distribution: Alexa 10K
![Page 24: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/24.jpg)
DNSSEC-enabled Names Distribution: Alexa 1M
![Page 25: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/25.jpg)
DNSSEC-Enabled Sites Distribution: Alexa 10K
![Page 26: IPv6-Only and DNS[SEC|64] - RIPE 72 · 2016. 5. 25. · IPv6-Only and DNS[SEC|64] Jen Linkova furry13@gmail.com RIPE72, May 2016](https://reader035.fdocuments.us/reader035/viewer/2022081601/60f97d5cef0527533307f803/html5/thumbnails/26.jpg)
DNSSEC-Enabled IPv4-only Names (Alexa 1M)