> 3) If the people deploys DNSSEC together with IPv6, > DNS64 is not creating any trouble. It doesnt make sense to me that > DNSSEC is deployed without IPv6, right?
Let me give you random popular site: slack.com. It does have DNSSEC, it doesn't have IPv6. Can we live if the real world please? IPv6 and DNSSEC are independent technologies. We cannot assume that one implies the other. 4) When DNSSEC is deployed > without IPv6, in most of the cases no problems is created and what > we probably want to encourage is to do DNS64 self-synthesis in the > hosts if they are checking DNSSEC. See section 4.1 of RFC8683. This is a very roundabout way of saying the DNS64 just doesn't work for hosts that do local DNSSEC validation. It limitations like this (and the lack of support for IPv4 literals, issues with applications using public DNS resolvers (with or with out DoT or DoH) that mean that DNS64 should have a very reduced scope. One thing that I don't understand, is how (in the context of DNS64) applications handle NAT traversal. As far as I know, for NAT traversal you have to know if an address is IPv4 or IPv6. But DNS64 hides that difference. Is there an RFC where this is spelled out? _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
