In message <20131021123504.ga20...@nic.fr>, Stephane Bortzmeyer writes:
> I try to understand DNS64 and there is a problem I don't get. I have
> BIND configured with:
>
> dns64 2001:db8:1:64::/96 { // Network-Specific Prefix
> clients { me; };
> };
>
> and it works, synthesis happens when the domain name has no AAAA records:
>
> % dig +cd @localhost -p 9053 AAAA twitter.com
> ...
> ;; ANSWER SECTION:
> twitter.com. 30 IN AAAA 2001:db8:1:64::c710:9c66
> twitter.com. 30 IN AAAA 2001:db8:1:64::c710:9cc6
> twitter.com. 30 IN AAAA 2001:db8:1:64::c710:9c06
>
> I try it now on the new ipv4only.arpa, which has only A and not AAAA
> and nothing happens:
>
> % dig +cd @localhost -p 9053 AAAA ipv4only.arpa
>
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +cd @localhost -p 9053 AAAA ipv4on
> ly.arpa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62138
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ipv4only.arpa. IN AAAA
>
> ;; AUTHORITY SECTION:
> ipv4only.arpa. 3038 IN SOA sns.dns.icann.org. noc.dns.ican
> n.org. (
> 2013053904 ; serial
> 7200 ; refresh (2 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 3600 ; minimum (1 hour)
> )
> ipv4only.arpa. 3038 IN RRSIG SOA 8 2 3600 20131028181436 (
> 20131021083223 33820 ipv4only.arpa.
> GEbCQfPa1q8e0qaQTT5S1yrmfRp3Vx+lueUB+i846fC
> l
> /5J3mbew8PI2LMd7stndYwPARIDWjapyzyFk5de6/Yx
> 9
> Nyxn0AOVr9wRnRPy14FCH0P05EQFYzklOkC5Fjzn/B+
> B
> z4ngG4hM3RfAkckhj0zZ5zMhiYbxucOK/U8T398= )
> ipv4only.arpa. 3038 IN RRSIG NSEC 8 2 3600 20131028191728
> (
> 20131021083223 33820 ipv4only.arpa.
> Id6eQDjnvBhqoZSOBsNKywa0yAEiaGmyakGFLG3Mc2/
> h
> lmjAPylP9fDdBORpdgnbV0AMt5JzzzIblDTsfs9sbKb
> y
> cCRHkE+Vhchu/NnChM+xslJ15daNNLgYUQHd5xwvdzg
> P
> OdpknW9kyfpjR4Cj3dixxfFhrsFFNvZo2FOyTW0= )
> ipv4only.arpa. 3038 IN NSEC ipv4only.arpa. A NS SOA TXT RR
> SIG NSEC DNSKEY
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#9053(127.0.0.1)
> ;; WHEN: Mon Oct 21 14:33:52 2013
> ;; MSG SIZE rcvd: 481
>
> What did I miss?
They signed it and you have do=1 set in the query. Named won't lie
to you if you can verify the answer unless you override the defaults.
DNS64 and DNSSEC are incompatible with each other. To have it work
with a signed zone and do=1 you need to tell named to break dnssec.
dns64 {
clients { me; };
break-dnssec yes;
};
Mark
> BIND 9.9.4
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
> ribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
