IETF Logo Mail Archive

[DNSOP] Re: [v6ops] Re: Re: Re: Re: Re: Moving DNS64 (RFC6147) to Internet Standard

Mark Andrews <marka@isc.org> Tue, 14 April 2026 21:21 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D7C2CDC4D7E6; Tue, 14 Apr 2026 14:21:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776201665; bh=8rWmUVg54wX8fhPiejSIEMpMmSET9TsX0+euwSyk1c0=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=utI95VysBob6sLxR3gHOMTiuQUFlkLglbLlDj2jepgAi6SZd49yZmLrpgkgLInQUj Jt9CtMXBFg8T//eRwd0yinxL4i32b30QgcesOQIHG2HXGaE3QdlSL6DPwfZEWjGfhj U5T3Hw3uUuRKDAEtsOUlCH5nOOaLzhQyVcbO7Qpw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="JI13IELQ"; dkim=pass (1024-bit key) header.d=isc.org header.b="TY5q05dD"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jl7smjtHQQpM; Tue, 14 Apr 2026 14:21:03 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DF030DC4D547; Tue, 14 Apr 2026 14:20:30 -0700 (PDT)
Received: from zimbra10.isc.org (zimbra10.isc.org [149.20.2.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 429C14E4094; Tue, 14 Apr 2026 21:20:30 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 429C14E4094
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.90
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1776201630; cv=none; b=Tj0w/ebEkPTSAFWeLcfrglyOz6Hk+LCnjjyNYl44cCCsYF8vNJ5fs7EbKu1/cFuTDk7gI2s2ncmLfkWxN/vR9jaH0Oa+BxGu2BbS7Sl9/zpmZ5sPZy3WZ27MsZVoT7NgMJ5xGfEN6ILv7RUOSl9s+8ZR1vfsmUiG03xNTPxFsrE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1776201630; c=relaxed/relaxed; bh=4hqyHkhSoz+e2KoofLLCek/qQiIHl9I03x48FkT1liQ=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=Il54ai5iUuSaJNbKhNdk6vDqkCoOiXhCEJW16Py7HSVSZBZTgHWZD7I8z0SzQK6z7GpIx7o9FXyY7xb27fCZ1j4CrkFBOwUzl2M39u7taVyfbw8rBELx5KV5x3K86MeCzaQnp/X+GmEJ6o1QZJHtEkS9sGavIvVGjwuPH7a1RYQ=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 429C14E4094
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1776201630; bh=8rWmUVg54wX8fhPiejSIEMpMmSET9TsX0+euwSyk1c0=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=JI13IELQOllUcbSap0+nJ0wpdxapVsuLTI5tQRrt/q+09brLMzqAeUJRKmdUCN0Ze IV3gO8AKvHvEGnALTvsqXq9qO17pHt9EvMAH7o7TUnUqISoxQQoWfrWSBsJQvpYf6q ZaksY6r5jv5K+WXitZ6uVAE4gFRS4bUBDhYE88ic=
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id 3E88F2E602C6; Tue, 14 Apr 2026 21:20:30 +0000 (UTC)
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id 3A2272E6038B; Tue, 14 Apr 2026 21:20:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbra10.isc.org 3A2272E6038B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1776201630; bh=4hqyHkhSoz+e2KoofLLCek/qQiIHl9I03x48FkT1liQ=; h=From:Mime-Version:Date:Message-Id:To; b=TY5q05dDhDva+iRhOk6OY3kZRFEu0k18889LqqAVCSpU1GNqIi8ETUAZT+T/r1XIP 2p538D7cJWs6UdtvZubsKa8QVKF6oAtTqMzcHAfLBIES3bhnvZ2kQ1KmEpGr2Mf26Q 390LmbRSUwsyOED/aMFgEze4lkAtFky0gV7n4s5M=
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbra10.isc.org (Postfix) with ESMTPSA id ED2972E602C6; Tue, 14 Apr 2026 21:20:29 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 15 Apr 2026 07:20:17 +1000
Message-Id: <E2A431EF-B50C-48B0-966F-DB5771264685@isc.org>
References: <1133413B-3A85-40E8-9692-38EA538CD4AD@isc.org>
In-Reply-To: <1133413B-3A85-40E8-9692-38EA538CD4AD@isc.org>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPhone Mail (23D8133)
Message-ID-Hash: NRBNPOQNP76SG4IEGW5B6D4QC3B2Z7KG
X-Message-ID-Hash: NRBNPOQNP76SG4IEGW5B6D4QC3B2Z7KG
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-7@u-1.phicoh.com>, dnsop@ietf.org, jordi.palet=40consulintel.es@dmarc.ietf.org, IPv6 Operations <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [v6ops] Re: Re: Re: Re: Re: Moving DNS64 (RFC6147) to Internet Standard
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fhts42fQ5jRp29MnRZv52FIpA1g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Continuing on:

I was using my iPhone as a hot spot and tests that just work when normally work just started falling.  This is all because people interfere with address lookups. We have decades of complaints about people interfering with address lookups.  There was the whole Site Finder snafu. 

DNS64 “appears” to work because there are still not a lot of zones that are signed and most of them also are IPv6 enabled.  Add to that all the OS vendors that have been slack in deploying DNSSEC on the devices they ship.  

Now BIND doesn’t do DNS64 as described.  It does an approximation of it. 

DNS64 isn’t needed anywhere. 464XLAT doesn’t needed it.  Discovery of the prefix doesn’t need it. You can just publish an ip4only.arpa zone with the correct AAAA records.

Figuring out how to do DNS64 correctly  automatically is impossible even ignoring DNSSEC.  You just break things.
-- 
Mark Andrews

> On 15 Apr 2026, at 06:42, Mark Andrews <marka@isc.org> wrote:
> 
> Even local synthesis es wrong. It is at the wrong level in the stack.  I had test fail on my Mac because curl decided that 10.53.0.4 was out on the internet despite it being an address on the loopback interface.
> 
> The
> --
> Mark Andrews
> 
>> On 15 Apr 2026, at 04:42, Ted Lemon <mellon@fugue.com> wrote:
>> 
>> I think it's also worth asking whether the devices that care about DNSSEC or DOH are the devices that don't do local synthesis. E.g. I'm pretty sure Apple devices will do local synthesis. I get the sense that Google devices will as well. Not sure about Windows, maybe Jen Linkova knows? Also not sure about Linux, probably varies. Of course, if e.g. your browser is doing DoH, it may not bother with DNSSEC anyway, even if your local resolver does do DNSSEC. But it had better do local synthesis, or it's not going to work in a v6only NAT64 environment regardless of whether or not DNS64 is present.
>> 
>> But my point is, your printer that's downloading firmware probably isn't doing DNSSEC validation, although it should, and it's probably not using DoH to bypass the local resolver either.
>> 
>>>>> On 14 Apr 2026, at 19:57, Philip Homburg <pch-dnsop-7@u-1.phicoh.com> wrote:
>>>>> 
>>>>> I will like to see that long list of things that dont work with
>>>>> DNS64 in the real world.
>>> 
>>> I don't have a complete list, but here is a start. Let's assume a host
>>> that relies on DNS64 to obtain IPv4 connectivity. What doesn't work in
>>> that case:
>>> 1) An IPv4 literal
>>> 2) Any kind of local DNSSEC validation, either in the stub resolver or in
>>> a local DNS forwarder.
>>> 3) Any resolver configuration that by-passes the local (DNS64) resolver
>>> such as an (optionally DoH, DoT) connection to a public resolver.
>>> 4) Any kind of code that implement STUN for IPv4 but not for
>>> IPv6.
>>> 5) As far as I can tell, any kind of code that tries STUN on an IPv6 address
>>> that was mapped by the DNS64 resolver.
>>> 
>>> A few corners cases:
>>> 6) A DNS recursive resolver
>>> 7) DNS code that tries to disable EDNS Client Subnet
>>> 
>>> I think there are more protocols that somehow encode whether IPv4 or IPv6
>>> is used, but this is just from the top of my head.
>>> 
>>> _______________________________________________
>>> v6ops mailing list -- v6ops@ietf.org
>>> To unsubscribe send an email to v6ops-leave@ietf.org
>> 
>> _______________________________________________
>> v6ops mailing list -- v6ops@ietf.org
>> To unsubscribe send an email to v6ops-leave@ietf.org

v2.43.4 | Report a Bug | By Email | System Status