[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Phil Pennock dnsop+phil at spodhuis.org
Sat Oct 31 00:05:00 UTC 2020


On 2020-10-30 at 19:09 +0100, Philip Homburg wrote:
> On 2020/10/30 18:38 , Phil Pennock wrote:
> > On a laptop, you discover when roaming that suddenly you're on a network
> > where the only DNS upstreams are doing 464XLAT and all DNSSEC
> > verification breaks, so you need to be able to handle that _sometimes_
> > DNSSEC is just not viable.  
> 
> I'm confused. Why does 464XLAT break DNSSEC? The idea is that a DNSSEC

I've probably gotten confused about the different translation
technologies: I haven't been an ISP sysadmin in decades and am rustier
than I like to admit.

It's whichever one ends up with all connectivity to the global IPv4
Internet being via IPv4-in-IPv6 addresses and all DNS is faked to only
return AAAA records using the network operator's IPv6 prefix for such
addresses.

Sorry.
-Phil



More information about the dns-operations mailing list