On 2020/10/31 1:05 , Phil Pennock wrote: > On 2020-10-30 at 19:09 +0100, Philip Homburg wrote: >> I'm confused. Why does 464XLAT break DNSSEC? The idea is that a DNSSEC > > It's whichever one ends up with all connectivity to the global IPv4 > Internet being via IPv4-in-IPv6 addresses and all DNS is faked to only > return AAAA records using the network operator's IPv6 prefix for such > addresses.
There is NAT64. Together with DNS64 that allows an IPv6 host to talk to IPv4 hosts. However NAT64 generates invalid IPv6 packets. So it better to use NAT64 only in combination with CLAT, which gives 464XLAT. CLAT solves the problem of broken IPv6 packets by translating them back into IPv4 (and also deals with IPv4 address literals, avoids the needs for DNS64, etc.) So 464XLAT doesn't have a DNSSEC problem, but NAT64 on its own potentially does. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
