Hey Mark,
we have deployed the dns64 settings some years ago and I did not notice
the settings at the time - but it seems their combination looks excatly
like what we were looking for.
Thanks a lot for the pointer!
Best regards,
Nico
Mark Andrews <ma...@isc.org> writes:
> Have you actually played with dns64 settings?
>
> dns64 <netprefix> {
> break-dnssec <boolean>;
> clients { <address_match_element>; ... };
> exclude { <address_match_element>; ... };
> mapped { <address_match_element>; ... };
> recursive-only <boolean>;
> suffix <ipv6_address>;
> }; // may occur multiple times
>
>
>> On 19 Feb 2021, at 06:39, Nico Schottelius <nico.schottel...@ungleich.ch>
>> wrote:
>>
>>
>> Good morning everyone,
>>
>> we have peculiar request to solve and were wondering whether it is at
>> all possible with bind:
>>
>> a)
>> For a certain source range, let's say 2001:db8::/96, we want to *only*
>> reply with generated DNS64 entries - i.e. we want bind to only reply
>> with mapped IPv4 addresses, NOT with proper AAAA entries, if they exist.
>
> dns64 <netprefix> { clients { acl; }; exclude { ::/0; }; };
>
>> b)
>> For a different source range, let's say 2001:db:1::/64, we want to reply
>> only with *proper* IPv6 AAAA entries, i.e. disable DNS64 for them.
>
> dns64 <netprefix> { clients { !prefix; any; };
>
>>
>> c) (optional)
>>
>> In the best case, we would even like to remove A replies from the
>> results, in case a misconfigured client requests A records.
>
> Then you break the ability of those clients to do their own DNS64 mappings
> which is required when they are doing DNSSEC themselves.
>
>> Background for this is that we have clients in specific networks, which
>> are mapped via SIIT to IPv4 addresses. These clients should never
>> connect to an IPv6 address (besides they actually do...) after
>> translation. And the clients in the other network should behave the
>> opposite, they should *only* connect to IPv6 hosts.
>>
>> However, both client networks are IPv6 only, as there is no IPv4 link
>> into these networks, so we are dealing with NAT64/SIIT. And
>> unfortunately we don't have a lot of control over the client behaviour,
>> whether they will ask for A/AAAA entries, so we will need to steer them
>> on the DNS side.
>>
>> Looking forward to your replies.
>>
>> Best regards,
>>
>> Nico
>>
>> --
>> Sustainable, Modern Infrastructures by ungleich.ch
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Sustainable and modern Infrastructures by ungleich.ch
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
