In message <[email protected]>, Sander Steffann writes: > > Hi, > > > Op 22 feb. 2017, om 17:35 heeft Ted Lemon <[email protected]> het > volgende geschreven: > > > > On Feb 22, 2017, at 9:36 AM, Mark Andrews <[email protected]> wrote: > >> DNS64 really should just be made historic. It does not work with > >> DNSSEC. There has NEVER been a NEED for NAT64 or DNS64. They > >> provides NO BENEFIT over other methods. Every proported benefit > >> turns out not to exist. > > > > (A) I find NAT64 to be a very convenient solution, and best of all it > tests IPv6 functionality in apps, so I know which apps will not work on a > v6-only network. > > (B) DNS64 works _fine_ with DNSSEC as long as you do the DNS64 > translation _after you validate_. > > This. > > I have tested different implementations and used others that work like > this, and it works fine. I'm at Cisco Live in Berlin and I have been > behind a DNSSEC validating NAT64 resolver the whole week (thanks to Jan > Žorž for providing it!).
I presume the configuration was: Internet <-> ISP validating DNS64 <-> clients. That's the trivial configuration. You need to think about all the other ways networks are set up today. Internet <-> ISP validating DNS64 <-> validating recursive server <-> clients. Internet <-> ISP validating DNS64 <-> validating recursive server <-> validating clients. then to get them to work you need to add DNS64 prefix learning to every validating device in the path. How often does the validating recursive server attempt to do DNS64 prefix discovery? Every time it gets a NODATA to AAAA lookups? Even one non-DNS64 prefix discovering validating resolver in the path breaks DNS64 for everything behind it. Fiddling with DO and CD doesn't get the synthesised DNS64 records through a non-DNS64 prefix discovery aware validating resolver. Then there are clients that do Internet <-> 8.8.8.8 <-> validating recursive server <-> validating clients. How do they learn the DNS64 prefix? Too many ISP's mangle DNS to trust responses from them. Mark > Cheers, > Sander -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________ sunset4 mailing list [email protected] https://www.ietf.org/mailman/listinfo/sunset4
