[dns-operations] resolvers considered harmful

Tony Finch dot at dotat.at
Fri Oct 24 10:55:03 UTC 2014


Phillip Hallam-Baker <phill at hallambaker.com> wrote:
>
> Right now I do not see any transition plan from IPv4 to IPv6. We have
> plenty of plans that let us use IPv6 only but as yet no plan that lets us
> put a pure IPv6 device on a mixed network and achieve 100% connectivity
> with legacy IPv4 hosts. Such a device would never make A record queries. It
> would only make AAAA queries.
>
> But give me a trusted path to an IPv6 resolver that I can trust to rewrite
> DNS records so that my requests for hosts with only IPv4 connectivity are
> rewritten to give me the address of a suitable gateway for that particular
> AS.
>
> The only thing that breaks is the DNSSEC signature on the AAAA record. And
> that should not matter because an Internet application only cares about
> domain names, the address should not be visible.

As I understand it the plan is to tell clients about the network's
NAT64/DNS64 configuration so that clients can do their own DNS64
synthesis, which means the DNSSEC breakage no longer matters.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.



More information about the dns-operations mailing list