Hi Philip, In-line below.
Regards, Jordi @jordipalet > El 10 abr 2026, a las 9:56, Philip Homburg <[email protected]> > escribió: > >> 3) If the people deploys DNSSEC together with IPv6, >> DNS64 is not creating any trouble. It doesnt make sense to me that >> DNSSEC is deployed without IPv6, right? > > Let me give you random popular site: slack.com. > > It does have DNSSEC, it doesn't have IPv6. Can we live if the real > world please? > > IPv6 and DNSSEC are independent technologies. We cannot assume that one > implies the other. And do you have real experience of deployments breaking it? I will love to see those cases. I just tested in a couple of deployments that I’ve access to. It worked. I think the point is to understand that DNSSEC with DNS64 is broken only in a very very very small % of situation, which can also be resolved. > > 4) When DNSSEC is deployed >> without IPv6, in most of the cases no problems is created and what >> we probably want to encourage is to do DNS64 self-synthesis in the >> hosts if they are checking DNSSEC. See section 4.1 of RFC8683. > > This is a very roundabout way of saying the DNS64 just doesn't work for > hosts that do local DNSSEC validation. > > It limitations like this (and the lack of support for IPv4 literals, > issues with applications using public DNS resolvers (with or with out > DoT or DoH) that mean that DNS64 should have a very reduced scope. > No, is not the case. You just need to make sure how you do a correct deployment of the DNS64 servers. Any protocol may fail if incorrectly deployed. The failure rate is different from protocol to protocol when wrongly deployed. > One thing that I don't understand, is how (in the context of DNS64) > applications handle NAT traversal. > > As far as I know, for NAT traversal you have to know if an address is IPv4 > or IPv6. But DNS64 hides that difference. Is there an RFC where this is > spelled out? > I see Michael already provided a good response to this point. Basically this is NAT64 issue, and once more, in real deployments I’ve not seen this being a problem. Happy to hear otherwise. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
