Which only “works” with trivial configurations. What happens if 2.0.0/24 is reachable out interface A and interface B is IPv6 only with a PREF64?
-- Mark Andrews > El 11 ago 2025, a las 18:11, Tobias Fiebig > <[email protected]> escribió: > > Moin, > sorry for the high RTT; Had some unexpected events after 123. > >> On Tue, 2025-08-05 at 11:50 +1000, Mark Andrews wrote: >> Repeating so this gets tied to the draft name. >> >> ... >> >> I am going to be contrary here and say that DNS servers MUST NOT >> synthesis IPv6 address records from the PREF64 option. This is >> the wrong level of the stack to perform this translation as the >> DNS server is not an IP router and to do this properly the DNS >> server would need to process the kernels routing table. Just >> use the IPv4AAS built into the operating system as it reached >> via the routing table in the kernel. > > No, actually it does not need to access the routing table. The process > is: > > - Configure PREF64 (2001:db8:6464::/96) in daemon > - Daemon gets: > example.com IN NS ns01.example.com > > ADDITIONAL > ns01.example.com IN A 192.0.2.1 > > It then calculates 2001:db8:6464::c000:201 from that and just directly > opens an IPv6 socket to talk to 2001:db8:6464::c000:201. This > effectively skips one step of translation. > > Beyond 'skipping a translation step', hence reducing the need for > state-keeping in the kernel doing said translation', the advantage is > that this is a much more straight forward way of configuring things on > a host that generally does not do XLAT, e.g., a recursive DNS server > run by a provider, i.e., not a client/stub behind XLAT for anything but > the service (i mean; what is there? Management and getting packages > from an ideally local mirror). > > This is basically also described here: > https://www.ietf.org/archive/id/draft-ietf-v6ops-ipv6-only-resolver-00.html > > (Expired, hence touched upon in the -bis) > > Unbound actually already implements this feature: > > https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-nat64 > > And I am running 2a06:d1c7:: as a (semi public cause rate limited but > usually works good enough) public resolver using that feature. > >> The DNS is an application that deals with IP literals. CLAT is >> the correct mechanism to deal with this with XLAT as is B4 with >> DS-Lite. > > See above; I would argue, though, that the benefit of 'skip one > additional translation step and state keeping' still outweighs things > here. > > With best regards, > Tobias > > -- > Dr.-Ing. Tobias Fiebig > T +31 616 80 98 99 > M [email protected] > Pronouns: he/him/his > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
