[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Fri Oct 30 18:09:49 UTC 2020

On 2020/10/30 18:38 , Phil Pennock wrote:
> On a laptop, you discover when roaming that suddenly you're on a network
> where the only DNS upstreams are doing 464XLAT and all DNSSEC
> verification breaks, so you need to be able to handle that _sometimes_
> DNSSEC is just not viable.  

I'm confused. Why does 464XLAT break DNSSEC? The idea is that a DNSSEC
validating resolver sets the CD bit (in addition to the DO bit). This
causes the DNS64 resolver to stop doing synthesis (RFC 6147, Section 5.5).

This would normally cause NAT64 to fail. However, in the case of
464XLAT, synthesis is not needed, so everything should be fine.