[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Philip Homburg philip.homburg at ripe.net
Sun Nov 1 14:29:06 UTC 2020

On 2020/10/31 1:05 , Phil Pennock wrote:
> On 2020-10-30 at 19:09 +0100, Philip Homburg wrote:
>> I'm confused. Why does 464XLAT break DNSSEC? The idea is that a DNSSEC
> It's whichever one ends up with all connectivity to the global IPv4
> Internet being via IPv4-in-IPv6 addresses and all DNS is faked to only
> return AAAA records using the network operator's IPv6 prefix for such
> addresses.

There is NAT64. Together with DNS64 that allows an IPv6 host to talk to
IPv4 hosts. However NAT64 generates invalid IPv6 packets. So it better
to use NAT64 only in combination with CLAT, which gives 464XLAT.

CLAT solves the problem of broken IPv6 packets by translating them back
into IPv4 (and also deals with IPv4 address literals, avoids the needs
for DNS64, etc.)

So 464XLAT doesn't have a DNSSEC problem, but NAT64 on its own
potentially does.

More information about the dns-operations mailing list