IETF Logo Mail Archive

[DNSOP] Re: [v6ops] Re: Re: Re: Re: Re: Moving DNS64 (RFC6147) to Internet Standard

Mark Andrews <marka@isc.org> Tue, 14 April 2026 20:43 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 816DFDC49D3B; Tue, 14 Apr 2026 13:43:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776199404; bh=maUA5hqBvv7ddf9ceMA+0+0/QS8qJFHPEPwh5uVY8hA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=A58xW8KYXcu8yyQf237vN2+aPF35XaT3/zOt424HRTLKfrxZPWnc/EPWef3P2EKhF PUWD9Z47/Kk/wbAawwZmneIp54S71cgXQ59xEh+4kjhTihFCb6lXdbpkCbXd7udDjC Z/qNmKpS6fPhoAYNGn6sNmHgQGpG/q11yLRwtrzI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Vs3OnQdt"; dkim=pass (1024-bit key) header.d=isc.org header.b="M0IcEjxm"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNycn4GnzH1B; Tue, 14 Apr 2026 13:43:22 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BFCDBDC49CC7; Tue, 14 Apr 2026 13:43:22 -0700 (PDT)
Received: from zimbra10.isc.org (zimbra10.isc.org [149.20.2.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id EAF864E4094; Tue, 14 Apr 2026 20:43:15 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org EAF864E4094
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.90
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1776199396; cv=none; b=hwyu3sL86WYps191LJM0jg0DIwldStZYNzPoWfXFHo7GVdt1Fr55E+crhyijqLcqtpAav9YjrXEf+MMhIPicQRCHOiiAUC679E9OgEe+xfu2KCZr8dY1RyreilaOhZvUn6xomDoI7JyH9mw7qfQhTD5r+Chr9yTX96QyPyTiXUY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1776199396; c=relaxed/relaxed; bh=HVz7nzPKwTGBRa2rjPNhpmpl4JZZ6nJwq4GsWd9oZOQ=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=lzNB4pMVEMYgVggzWVGEbMOz1P/l5iBzy578K99i+RJobNygm7zuNWKCyjaM6s73h4BkqqqkFzcRuQcRszeRFuBw/IWiZvzp4fIjk6SUNd0Nd/8055lehJMfw2Qtn9dCxoNuA588+x74D7Xwd9jn2vntKxGDmyOU9+G3MmYBgDM=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org EAF864E4094
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1776199396; bh=maUA5hqBvv7ddf9ceMA+0+0/QS8qJFHPEPwh5uVY8hA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Vs3OnQdtgBbN3tGEFGCDRmT4ow9TTTCT9zKMqljdAW+aZGnav4UXnCDSeBHdSKgs2 87jUzDaUfUbusg7xIWF4jdItCiSStS3xrXB0ZUA66yUkXCImRyP4IAPOi+UZW+7Mfd TEEgwLxDFkoDkNbgoed/BHOscC0AyBkzFQNVnSmY=
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id E52072E602C6; Tue, 14 Apr 2026 20:43:15 +0000 (UTC)
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id E0DFE2E6038B; Tue, 14 Apr 2026 20:43:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbra10.isc.org E0DFE2E6038B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1776199395; bh=HVz7nzPKwTGBRa2rjPNhpmpl4JZZ6nJwq4GsWd9oZOQ=; h=From:Mime-Version:Date:Message-Id:To; b=M0IcEjxmS4e9o555T3+JyQVEy3y1oXMUgZA6/DOk5clXT6qFnuUZXfuEbGAxcDb3u wfcFI0eRGB/2nMKuTgOr+h1DfwZ44yVDKoAjPG0ssKlCYZjSTdVWIylFlRDwrS4IGS Jl4liaOtpiPDwRW4cNJoqiSXqGnba1AzxRXPAoJE=
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbra10.isc.org (Postfix) with ESMTPSA id ABEC02E602C6; Tue, 14 Apr 2026 20:43:15 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 15 Apr 2026 06:42:56 +1000
Message-Id: <1133413B-3A85-40E8-9692-38EA538CD4AD@isc.org>
References: <BEC52137-2556-45A7-9859-695086C1E9D7@fugue.com>
In-Reply-To: <BEC52137-2556-45A7-9859-695086C1E9D7@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPhone Mail (23D8133)
Message-ID-Hash: CVIXGAGX5YU42G7KP7ZINFZ6Z5D4XLPQ
X-Message-ID-Hash: CVIXGAGX5YU42G7KP7ZINFZ6Z5D4XLPQ
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-7@u-1.phicoh.com>, dnsop@ietf.org, jordi.palet=40consulintel.es@dmarc.ietf.org, IPv6 Operations <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [v6ops] Re: Re: Re: Re: Re: Moving DNS64 (RFC6147) to Internet Standard
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fw6R8ZKcsRyyTH6HYzGtBu_vSTM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Even local synthesis es wrong. It is at the wrong level in the stack.  I had test fail on my Mac because curl decided that 10.53.0.4 was out on the internet despite it being an address on the loopback interface.

The 
-- 
Mark Andrews

> On 15 Apr 2026, at 04:42, Ted Lemon <mellon@fugue.com> wrote:
> 
> I think it's also worth asking whether the devices that care about DNSSEC or DOH are the devices that don't do local synthesis. E.g. I'm pretty sure Apple devices will do local synthesis. I get the sense that Google devices will as well. Not sure about Windows, maybe Jen Linkova knows? Also not sure about Linux, probably varies. Of course, if e.g. your browser is doing DoH, it may not bother with DNSSEC anyway, even if your local resolver does do DNSSEC. But it had better do local synthesis, or it's not going to work in a v6only NAT64 environment regardless of whether or not DNS64 is present.
> 
> But my point is, your printer that's downloading firmware probably isn't doing DNSSEC validation, although it should, and it's probably not using DoH to bypass the local resolver either.
> 
>>> On 14 Apr 2026, at 19:57, Philip Homburg <pch-dnsop-7@u-1.phicoh.com> wrote:
>>> 
>>> I will like to see that long list of things that dont work with
>>> DNS64 in the real world.
>> 
>> I don't have a complete list, but here is a start. Let's assume a host
>> that relies on DNS64 to obtain IPv4 connectivity. What doesn't work in
>> that case:
>> 1) An IPv4 literal
>> 2) Any kind of local DNSSEC validation, either in the stub resolver or in
>>  a local DNS forwarder.
>> 3) Any resolver configuration that by-passes the local (DNS64) resolver
>>  such as an (optionally DoH, DoT) connection to a public resolver.
>> 4) Any kind of code that implement STUN for IPv4 but not for
>>  IPv6.
>> 5) As far as I can tell, any kind of code that tries STUN on an IPv6 address
>>  that was mapped by the DNS64 resolver.
>> 
>> A few corners cases:
>> 6) A DNS recursive resolver
>> 7) DNS code that tries to disable EDNS Client Subnet
>> 
>> I think there are more protocols that somehow encode whether IPv4 or IPv6
>> is used, but this is just from the top of my head.
>> 
>> _______________________________________________
>> v6ops mailing list -- v6ops@ietf.org
>> To unsubscribe send an email to v6ops-leave@ietf.org
> 
> _______________________________________________
> v6ops mailing list -- v6ops@ietf.org
> To unsubscribe send an email to v6ops-leave@ietf.org

v2.43.4 | Report a Bug | By Email | System Status