In message <[email protected]>, Mikael Abraha msson writes: > On Sat, 13 Jun 2015, Dave Taht wrote: > > > I don't understand how badly this is going to break dnssec. dnsmasq in > > particular has been dealing with edge case after edge case on dnssec for > > the last few months, and it was my hope we'd finally got them all. > > DNS64 breaks DNSSEC because it creates an AAAA response where none is > present in the zone being queried. It's basically doing MITM for DNS, > which is exactly what DNSSEC was supposed to fix. > > DNSSEC would work if Apple decided to just do NAT64 discovery and then do > their own DNS64 in the host, but I have no information as to what is being > done here. > > At least DNSSEC still works between the Internet and the ISP DNS64 > resolver, but the end host won't be able to verify the response using > DNSSEC.
RFC 6147 is total broken when it talks about DNSSEC. The WG wanted so much for there to be a bit that said "validation will be performed on this answer" that they stopped listening. There is no such bit or combination of bits. NAT64 and DNS64 need to die. There are much better solutions to providing IPv4 over IPv6 than NAT64 and DNS64 and 464XLAT that grew from NAT64 and DNS64. MAP and DS-Lite are better solutions. They work with DNSSEC. They have the same PMTUD issues as NAT64. Address selection rules provide enough bias towards IPv6. > -- > Mikael Abrahamsson email: [email protected] > _______________________________________________ > Bloat mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/bloat -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Bloat mailing list [email protected] https://lists.bufferbloat.net/listinfo/bloat
