[DNSOP] Re: [v6ops] Re: Re: Moving DNS64 (RFC6147) to Internet Standard

["jordi.palet@consulintel.es" <jordi.palet@consulintel.es>]

I think the point is that we are assuming that in all the cases, DNSSEC is broken using DNS64 if there is no CLAT, or there is a DNSSEC validating proxy, or whatever, and this is incorrect.

That’s ignoring that if you *properly* configure the DNS64 servers, they will do the right thing and in some cases will not do the synthesis.

For example, in the case of bind9 you have by default “break-dnsec no;"

In some strange cases, you could also set special exclusions to avoid some destinations to be synthesised.

If you don’t have a CLAT (so NAT64+DNS64 case), it means those DNSSEC destinations can’t be reached at all if the host or the access network is IPv6-only. That’s why in most of the cases, NAT64+DNS64 is a bad idea (unless the host can do self-synthesis), and that’s why we invented 464XLAT. Clearly this is a very different problem, is not DNS64 breaking anything, is the destination deploying DNSSEC and not considering that there are IPv6-only networks or hosts that will only work if they deploy DNSSEC+IPv6.

So repenting myself, do we have real world deployment cases where there are complains of DNSSEC being broken?

Rergards,
Jordi

@jordipalet


> El 13 abr 2026, a las 16:53, Michael Richardson <mcr+ietf@sandelman.ca> escribió:
> 
> 
> Philip Homburg <pch-dnsop-7@u-1.phicoh.com> wrote:
>> You never installed a DNSSEC validating proxy on a laptop without CLAT?
> 
> Yes, I've done it.  Any bog-standard Ubuntu laptop with systemd-resolve usually has
> DNSSEC enabled, and has no CLAT.  (Of course, systemd-resolver screws up so
> badly for other reasons, one usually has to disable it)
> I agree, it's a fail.
> 
>>> I think the point is to understand that DNSSEC with DNS64 is broken
>>> only in a very very very small % of situation, which can also be
>>> resolved.
> 
>> The problem with DNS64 is that it seems to work (to some extent at least)
>> without CLAT. But as soon as you install a DNSSEC validating proxy,
>> or some other DNSSEC validation, access to IPv4 is lost.
> 
> From what I understand, Smartphones, Windows and OSX all have CLATs, but do
> not come with DNSSEC enabled by default.  I think that those systems are all
> moving (perhaps slowly) to PREF64 and local synthesis.  That's good, right?
> 
>> That means that devices that rely on DNS64 make it is a lot harder to
>> deploy those technologies.
> 
> Only if they are mobile/nomadic.
> If they stay in one place, one does whatever the correct thing is.
> Remember that people deploying IPv6-{mostly,only} **today** know what the correct
> thing is.   If DNS64 goes away, then many servers will have to go back to
> dual-stack.  That's who loses.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> 
> **       My working hours and your working hours may be different.         **
> ** Please do not feel obligated to reply outside your normal working hours **
> 
> 
> 
> 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.