Re: IPv6 only host NAT64 requirements?

Brian E Carpenter <> Tue, 14 November 2017 02:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 61D3B1270A3 for <>; Mon, 13 Nov 2017 18:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9NRsQDOWLZqr for <>; Mon, 13 Nov 2017 18:01:06 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AEDA81200C5 for <>; Mon, 13 Nov 2017 18:01:05 -0800 (PST)
Received: by with SMTP id l24so810570pfj.6 for <>; Mon, 13 Nov 2017 18:01:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9jpJrbOPdmMT8+cwALiptzfjx+ClnX/nfvEClZEG7Dk=; b=ZIxYHBrcG93s0Ep/bPoNidXv71abSK11GiM9RXiSWpGYDvT8B8FwH1clv+h/vvhkV4 Tx9NXbyLUffgQqXEJsBDDBcr1GCe2CUwRM8Tji0LsnLKpqraUckLWbpOI2HFL56N37+n 5lB/uQW/+8Xle5TsXFSXm78qZ8u1ZB6YzJAKrO9fMJLNkKq1XALaSZDZIlj8MD7ZUnCy Zj3F4lNZ29EW9l2szazU3EMs2tBYWjOprCz0O/cw3Rrsx+uV/5mxlt8/9pal7TAV8/00 2XtfX+pAv7grjqEfk153/dbbvuczcEuTa90KQYQpw3RvQQu6CcfhpZAjZK0qxK60Awiv gvmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=9jpJrbOPdmMT8+cwALiptzfjx+ClnX/nfvEClZEG7Dk=; b=bQaEWq9NqzZaGBwTh0dZ8eAnCiZzp6iltekWt0vSKapBwcxPz3jpBHlKf6wneytuEh 909MZsOIVJ4kf9A0S7Hw2U3NTx9674KQNvdQB0iPlrA8xib6hauOaePgq8qSQEn/5tsy X8qHRjABSPF1HSNb20/XrrS26kD6oYSYUO/lhQfGbAfkAxgUNt9Ms+b/P4ddFFh+9vbj GK8oXaeLk3UOCuD/tfADOPrY6wD/tpN8oZsNXJaaDJ7pd5ERus1pINwNph22ZkP7I8zs cd5tWXWIQqmVA+is6KNAAHZv55IZb5GJ0E4R9+qdg1CAWhiU6c9czOQI7/8O8gRHLBKC VCGw==
X-Gm-Message-State: AJaThX7sbx6xXcU+WMRHPlB8G6M9wS2vxF2YBCOQfJ6Vaf+giIit36An WFq5gcB6NeIhr3PriIX+TuG24BbE
X-Google-Smtp-Source: AGs4zMZhCDHkYTNnqaBz8Ue8u/j2wYRNdN0NE/r5h6/eUbcqauzuxQNnRGfeZeM+AhSaaPrcSQgBew==
X-Received: by with SMTP id a14mr10600509pln.353.1510624864947; Mon, 13 Nov 2017 18:01:04 -0800 (PST)
Received: from ?IPv6:2001:67c:370:1998:28cc:dc4c:9703:6781? ([2001:67c:370:1998:28cc:dc4c:9703:6781]) by with ESMTPSA id v9sm24254386pfg.85.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Nov 2017 18:01:04 -0800 (PST)
Subject: Re: IPv6 only host NAT64 requirements?
To: Ole Troan <>
Cc: Philip Homburg <>, 6man WG <>
References: <> <> <> <> <> <> <>
From: Brian E Carpenter <>
Organization: University of Auckland
Message-ID: <>
Date: Tue, 14 Nov 2017 15:01:02 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 02:01:11 -0000

On 14/11/2017 14:03, Ole Troan wrote:
> Brian,
>>>>>> I am not optimistic on the demand / need / value of dnssec in any scenario
>>>>>> ....let alone an ipv6-only host validating an ipv4-only dns name. If the
>>>>>> folks operating this service cared, they could operate the server with
>>>>>> signed v6 names.  It is more reasonable in todays internet to asked the
>>>>>> server (lets assume most signed name scenarios are servers) to be setup
>>>>>> right (with v6). There is not a compelling reason why having v6 is
>>>>>> unattainable today for named nodes.
>>>>> DNSSEC is something that works today.
>>>> This is not the impression I get from attending IEPG meetings
>>>> and chatting in the corridors at the IETF. Also, we knew throughout
>>>> the development of NAT64/DNS64 that DNSSEC was a major stumbling block.
>>>> I don't think it is a good idea to entangle RFC6434bis with that issue.
>>> What's the DNSSEC major stumbling block?
>> I pass. Try asking Geogg Huston, for example.
> As far as I understand it, DNSSEC has deployment issues, which are comparable for the DNS64 and non-DNS64 case.

My understanding during the BEHAVE discussions was that
the gymnastics required in the resolver code in a host
were considerably more complex in the NAT64/DNS64 case than
in any other.
> But I will leave someone who knows DNS to give a definite answer to that.

Yes, that would be very helpful.

> If I understand what people are telling me correctly, your statement "major stumbling block" is not correct.

It would be nice if you are correct.