On Thu, Jul 6, 2023 at 9:40 AM Ted Lemon <[email protected]> wrote: > Mark, I'm not sure we're communicating. > > It sounds like you're saying that NAT64 modifies the payload in transit? I > don't think that's the case. If it doesn't, then a full service resolver > will be able to validate the responses it gets. It can then translate them. > Since it is the consumer of the translated data, by definition the > translated data can be treated valid, unless it somehow doesn't trust > itself. >
I believe Mark is referring to a validating stub (not a full service resolver) behind a NAT64/DNS64. If such a stub uses the DNS64 as its upstream resolver, it will encounter a variety of potential failures with responses that can't be validated because the DNS64 passed them on without checking (CD=1), and without retrying other available authoritative servers for the zone (in case the response was spoofed, or in case some of the servers gave broken responses while others were working). (Presumably the validating stub is aware of DNS64 translated responses and the NAT64 prefix via RFC7050 support, and can thus authenticate the original response). Shumon.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
