Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis.

Published byBrian Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis."— Presentation transcript:

1 DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis

2 Application scenario IPv6 Only host IPv6 Only host IPv4 Only Host IPv4 Only Host NAT64 -Communications initiated by the v6-only host -No support for communications initiated by the v4 only side without previous action from the v6 side (i.e. No support for v6 only servers, beyond the creation of static mappings) -No changes required in any host for basic functionality -Supports communications initiated using the FQDN (of the v4 node) using DNS64 DNS64

3 Application scenario – refined An-IPv6-network-to-IPv4-Internet IPv6 Only host IPv6 Only host IPv4 Only Host IPv4 Only Host NAT64 IPv6 end site or IPv6 end site and IPv6 ISP DNS64 IPv4 Internet

4 Application scenario – refined IPv6-Internet-to-an-IPv4-network IPv6 Only host IPv6 Only host IPv4 Only Host IPv4 Only Host NAT64 DNS64 IPv4 end site IPv6 Internet

5 DNS64 function location DNS64 can be located: – In the local name server Simplifies deployment Supports legacy hosts – In the end host Enables additional features e.g. Validating stub-resolver

6 Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR for FQDN(H4) ?

7 Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR for FQDN(H4) ?

8 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR for FQDN(H4) ? enpty Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

9 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR for FQDN(H4) ? A RR for FQDN(H4) ? Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

10 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR for FQDN(H4) ? A RR for FQDN(H4) ? IP4 Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

11 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT Synthetizes AAAA RR as Pref::/96+IPv4 Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

12 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT AAAA RR Pref:IP4 Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

13 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT Src: IP6,s Dest: Pref:IP4,d Src: IP6,s Dest: Pref:IP4,d Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

14 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT IP6,s T,t Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

15 NAT64 v6 v4 DNS64 DNS H6 IP6 H4 IP4 IPT Src: T,t Dest: IP4,d Src: T,t Dest: IP4,d Overview An-IPv6-network-to-IPv4-Internet DNS64 in the local name server

16 A couple of design questions

17 Tagging Synthetic AAAA RR When AAAA RR are synthesized by other than the auhtoritative server, different DNS64 can synthesize different AAAA RR – Different answers for the same fqdn depending on the part of the topology Question: Does it make sense to tag these as synthetic? Feedback from DNSext – You can do this, but not needed from DNS perspective

18 DNSSEC support An-IPv6-network-to-IPv4-Internet case – Difficulty is how to validate data when the DNS64 is synthesizing RR for other domains IPv6-Internet-to-An-IPv4-network – Auhtoritative server synthezising AAAA RR – Main difficulties is when to sign the new RR

19 DNSSEC: An-IPv6-network-to-IPv4- Internet case Proposal: – Include the A RR information in the response that contains the synthetic AAAA RR – Similar behaviour of DNAME – Validating, Translation aware stub resolver can use the A RR DNSSEC information to validate the synthetic AAAA RR – Validating translation-oblivious stub resolver behind a translator is not supported.

20 DNSSEC IPv6-Internet-to-An-IPv4-network When is the synthesis performed? – If done when the query is received, can we sign the RR on the fly? How this interacts with DynDNS? Feedback from DNSext: – Synthesis is to be performed upon the reception of the DynDNs update – Generating and signing when query is received is not possible Key may be offline

21 Questions?

22 DNSSEC support Rso: security-oblivious server working in recursive mode Rsa: security-aware server working in recursive mode Rsav: validating security-aware recursive name server Rsan: non validating security-aware recursive name server The recursive server is also performing DNS64.

23 DNSSEC cases An-IPv6-network-to-IPv4-Internet case DO set, CD resetDO set, CD SET Rso No support from the server Similar to non DNS64 case No support from the server Similar to non DNS64 case Rsan Hand back data as normal Similar to case Rso? Needs to pass all the data for validation back to the initator (No synthetic RR can be passed here!) DNS64 server mode not supported, DNS64 end host mode ok Rsav Rsav validates the data. If it fails, it returns RCODE 2 (SERVFAIL); otherwise, it returns the answer. DNS64-in-the-server mode: Rsav validates the data, and then synthesizes the new record and passes that to the client. Same than Rsan case above

24 Proposed behaviour (I) An-IPv6-network-to-IPv4-Internet case If CD is not set and DO is not set, the server SHOULD perform validation and do any translation it wants. The DNS64 functionality MAY translate the A record to AAAA. – DNS64 server mode If CD is not set and DO is set, then it SHOULD perform validation. If the data validates, the server MAY perform translation, but it MUST NOT set the AD bit. If the data does not validate, it MUST respond with RCODE=2 (server failure). – DNS64 server mode

25 Proposed behaviour (II) An-IPv6-network-to-IPv4-Internet case If the CD is set and DO is set, then it SHOULD NOT perform validation, and it SHOULD NOT perform translation. It SHOULD hand the data back to the query initiator, just like a regular recursing server, and depend on the client to do the validation and the translation itself. – DNS end host mode

Download ppt "DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis."

Similar presentations

DNS46 for the IPv4/IPv6 Stateless Translator

DNS46 for the IPv4/IPv6 Stateless Translator
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.

Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.
Challenges of OTT video delivery in the dual-stacked world

Challenges of OTT video delivery in the dual-stacked world
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.

Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Module 4: Configuring Network Connectivity

Module 4: Configuring Network Connectivity
Implementing Domain Name System

Implementing Domain Name System
DNS and DHCP in Dual Stack Networks Lawrence E. Hughes Chairman, InfoWeapons Inc.

DNS and DHCP in Dual Stack Networks Lawrence E. Hughes Chairman, InfoWeapons Inc.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.

1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.
DirectAccess is an Enterprise Solution: No support for Windows 7 Professional Requires two consecutive public IP addresses Cannot NAT to the DirectAccess.

DirectAccess is an Enterprise Solution: No support for Windows 7 Professional Requires two consecutive public IP addresses Cannot NAT to the DirectAccess.
Domain Name System: DNS

Domain Name System: DNS
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Similar presentations

Ads by Google