Hi list, Just wanted to check my understanding of BIND9's implementation of DNS64 against RFC 6147.
Currently BIND9's "break-dnssec" defaults to "no" - in this configuration, a security-aware & validating recursive resolver with will never synthesise a AAAA record via DNS64 when queried with DO=1 irregardless of the CD bit. When changing "break-dnssec" to "yes", querying with DO=1 will always trigger synthesis of a DNS64 AAAA record, irregardless of the CD bit. Both of these configurations seem to conflict with the DNS64 RFC 6147, which specifies that (so long as the upstream negative AAAA and positive A responses validate) the recursive resolver can still synthesise the DNS64 AAAA when queried with DO=1 and CD=0 but must return the answer with the AD bit set. Only when queried with both DO=1 and CD=1 must it not synthesise the DNS64 AAAA. Is there any way to configure BIND9 to comply with this RFC 6147 behaviour? We're on 9.8.2, but I couldn't find anything related in the CHANGES for either 9.8 or 9.9. Thanks, Tom _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
