Re: IPv6 only host NAT64 requirements?

Philip Homburg <> Tue, 14 November 2017 10:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8A3A128BB6 for <>; Tue, 14 Nov 2017 02:44:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u3SbBpvHwKZv for <>; Tue, 14 Nov 2017 02:44:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A9704127775 for <>; Tue, 14 Nov 2017 02:44:38 -0800 (PST)
Received: from (localhost [::ffff:]) by with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384) (Smail #157) id m1eEYhl-0000FyC; Tue, 14 Nov 2017 11:44:33 +0100
Message-Id: <>
Subject: Re: IPv6 only host NAT64 requirements?
From: Philip Homburg <>
References: <> <> <> <> <> <> <>
In-reply-to: Your message of "Tue, 14 Nov 2017 08:32:20 +0800 ." <>
Date: Tue, 14 Nov 2017 11:44:32 +0100
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 10:44:42 -0000

> Now people here tell me that local validation
> of DNSSEC isn't done for IP4 either and in practice it's not
> deployable. I'd hope that's untrue, but regardless you don't appear
> to be in a worse position with DNS64 than you are without. Either
> you trust a distance recursive resolver to do the validation for
> you, or you do validation yourself (and also the synthesizing of
> IP6 addresses).

For quite a while now, I'm running two applications with local DNSSEC
validation on my laptop.

One is the cz.nic dnssec validator plugin for web browsers. The other is my
own code that uses getdns in ssh to validate SSHFP records.

In both cases, it just works. My conclusion is that wherever I take my laptop,
getdns can do local DNSSEC validation. DNSSEC works. Of course there are issues.
The fragmentation problems Geoff is seeing are real. But in practice it works.

One of the problems with DNSSEC and NAT64 is one way or another you have
to deal with a AAAA response that is not signed.

Without local synthesizing, local DNSSEC validation will fail. With local
synthesizing the local validator has to tell the application 'trust me, I
know what I'm doing'. Even if that's not actually true.