[DNSOP] Re: [v6ops] Re: Re: Re: Re: Moving DNS64 (RFC6147) to Internet Standard

["jordi.palet@consulintel.es" <jordi.palet@consulintel.es>]

Hi Mark,

In line, below.

Regards,
Jordi

@jordipalet


> El 14 abr 2026, a las 23:20, Mark Andrews <marka@isc.org> escribió:
> 
> Continuing on:
> 
> I was using my iPhone as a hot spot and tests that just work when normally work just started falling.  This is all because people interfere with address lookups. We have decades of complaints about people interfering with address lookups.  There was the whole Site Finder snafu.

So you’re saying that is not DNS64, but many wrong deployments of DNS by interfering with lookups?


> 
> DNS64 “appears” to work because there are still not a lot of zones that are signed and most of them also are IPv6 enabled.  Add to that all the OS vendors that have been slack in deploying DNSSEC on the devices they ship.  
> 

Agree, and it seems we are in agreement also that any DNSSEC deployment, in 2026, should be also with IPv6.

> Now BIND doesn’t do DNS64 as described.  It does an approximation of it.

I’m not sure to follow what you mean. BIND doesn’t follow RFC6147 or ? What is different, may be we could learn about that and see how to improve it.

> 
> DNS64 isn’t needed anywhere. 464XLAT doesn’t needed it.  Discovery of the prefix doesn’t need it. You can just publish an ip4only.arpa zone with the correct AAAA records.

That’s a different problem. RFC7050 is what I think is broken and not needed and actually I believe not being used in actual deployments. I’ve asked in private to the major vendors of mobile OSs, will report to the list when they reply. That’s also why asked folks in v6ops to test by themselves if they have their mobiles in an operator doing 464XLAT.

I don’t agree DNS64 is not needed, it avoids double translation and helps optimizing timing.

> 
> Figuring out how to do DNS64 correctly  automatically is impossible even ignoring DNSSEC.  You just break things.

Don’t agree here, but happy to learn what may be broken apart for DNSSEC.

> -- 
> Mark Andrews
> 
>> On 15 Apr 2026, at 06:42, Mark Andrews <marka@isc.org> wrote:
>> 
>> Even local synthesis es wrong. It is at the wrong level in the stack.  I had test fail on my Mac because curl decided that 10.53.0.4 was out on the internet despite it being an address on the loopback interface.
>> 
>> The
>> --
>> Mark Andrews
>> 
>>> On 15 Apr 2026, at 04:42, Ted Lemon <mellon@fugue.com> wrote:
>>> 
>>> I think it's also worth asking whether the devices that care about DNSSEC or DOH are the devices that don't do local synthesis. E.g. I'm pretty sure Apple devices will do local synthesis. I get the sense that Google devices will as well. Not sure about Windows, maybe Jen Linkova knows? Also not sure about Linux, probably varies. Of course, if e.g. your browser is doing DoH, it may not bother with DNSSEC anyway, even if your local resolver does do DNSSEC. But it had better do local synthesis, or it's not going to work in a v6only NAT64 environment regardless of whether or not DNS64 is present.
>>> 
>>> But my point is, your printer that's downloading firmware probably isn't doing DNSSEC validation, although it should, and it's probably not using DoH to bypass the local resolver either.
>>> 
>>>>>> On 14 Apr 2026, at 19:57, Philip Homburg <pch-dnsop-7@u-1.phicoh.com> wrote:
>>>>>> 
>>>>>> I will like to see that long list of things that dont work with
>>>>>> DNS64 in the real world.
>>>> 
>>>> I don't have a complete list, but here is a start. Let's assume a host
>>>> that relies on DNS64 to obtain IPv4 connectivity. What doesn't work in
>>>> that case:
>>>> 1) An IPv4 literal
>>>> 2) Any kind of local DNSSEC validation, either in the stub resolver or in
>>>> a local DNS forwarder.
>>>> 3) Any resolver configuration that by-passes the local (DNS64) resolver
>>>> such as an (optionally DoH, DoT) connection to a public resolver.
>>>> 4) Any kind of code that implement STUN for IPv4 but not for
>>>> IPv6.
>>>> 5) As far as I can tell, any kind of code that tries STUN on an IPv6 address
>>>> that was mapped by the DNS64 resolver.
>>>> 
>>>> A few corners cases:
>>>> 6) A DNS recursive resolver
>>>> 7) DNS code that tries to disable EDNS Client Subnet
>>>> 
>>>> I think there are more protocols that somehow encode whether IPv4 or IPv6
>>>> is used, but this is just from the top of my head.
>>>> 
>>>> _______________________________________________
>>>> v6ops mailing list -- v6ops@ietf.org
>>>> To unsubscribe send an email to v6ops-leave@ietf.org
>>> 
>>> _______________________________________________
>>> v6ops mailing list -- v6ops@ietf.org
>>> To unsubscribe send an email to v6ops-leave@ietf.org
> 
> _______________________________________________
> v6ops mailing list -- v6ops@ietf.org
> To unsubscribe send an email to v6ops-leave@ietf.org


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.