>>From a network with 10s of millions of nat64 users and zero dnssec, I >disagree and suggest dnssec move to historic since it is a ddos attack >vector and provides no privacy element and generally weak cryto ... also it >has caused many wide scale outages for networks that have elected to use >it.
With 2.5 million DNSSEC signed zones in just the nl TLD (45% of all zones in .nl) and Google's highly popular public resolvers performing DNSSEC validation, it is also safe to say that millions of people use DNSSEC daily without nat64. At least for me personally, I come across expired (or otherwise broken) certificates a lot more often than domains that fail DNSSEC validation. As for weak crypto, I'm not aware of a single serious (published and executed) attack on deployed DNSSEC. So it seems that both operationally and from a security point of view, DNSSEC is stricly better than TLS. By and large, the DNSSEC problems (and the IPv4 literal problems) can be solved by using 464xlat instead of DNS64. However, NAT64 is such a 'success' that at least one high profile content provider had to rush to roll out IPv6 because the deployed NAT64 was breaking their service. _______________________________________________ sunset4 mailing list sunset4@ietf.org https://www.ietf.org/mailman/listinfo/sunset4
