On 2020/10/30 18:38 , Phil Pennock wrote: > On a laptop, you discover when roaming that suddenly you're on a network > where the only DNS upstreams are doing 464XLAT and all DNSSEC > verification breaks, so you need to be able to handle that _sometimes_ > DNSSEC is just not viable.
I'm confused. Why does 464XLAT break DNSSEC? The idea is that a DNSSEC validating resolver sets the CD bit (in addition to the DO bit). This causes the DNS64 resolver to stop doing synthesis (RFC 6147, Section 5.5). This would normally cause NAT64 to fail. However, in the case of 464XLAT, synthesis is not needed, so everything should be fine. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
