Have you actually played with dns64 settings?
dns64 {
break-dnssec ;
clients { ; ... };
exclude { ; ... };
mapped { ; ... };
recursive-only ;
suffix ;
}; // may occur multiple times
> On 19 Feb 2021, at 06:39, Nico Schottelius
> wrote:
>
>
> Good morning everyone,
>
> we have peculiar request to solve and were wondering whether it is at
> all possible with bind:
>
> a)
> For a certain source range, let's say 2001:db8::/96, we want to *only*
> reply with generated DNS64 entries - i.e. we want bind to only reply
> with mapped IPv4 addresses, NOT with proper entries, if they exist.
dns64 { clients { acl; }; exclude { ::/0; }; };
> b)
> For a different source range, let's say 2001:db:1::/64, we want to reply
> only with *proper* IPv6 entries, i.e. disable DNS64 for them.
dns64 { clients { !prefix; any; };
>
> c) (optional)
>
> In the best case, we would even like to remove A replies from the
> results, in case a misconfigured client requests A records.
Then you break the ability of those clients to do their own DNS64 mappings
which is required when they are doing DNSSEC themselves.
> Background for this is that we have clients in specific networks, which
> are mapped via SIIT to IPv4 addresses. These clients should never
> connect to an IPv6 address (besides they actually do...) after
> translation. And the clients in the other network should behave the
> opposite, they should *only* connect to IPv6 hosts.
>
> However, both client networks are IPv6 only, as there is no IPv4 link
> into these networks, so we are dealing with NAT64/SIIT. And
> unfortunately we don't have a lot of control over the client behaviour,
> whether they will ask for A/ entries, so we will need to steer them
> on the DNS side.
>
> Looking forward to your replies.
>
> Best regards,
>
> Nico
>
> --
> Sustainable, Modern Infrastructures by ungleich.ch
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users