Hello, Dne 18.11.2014 10:07, W.C.A. Wijngaards napsal(a): > - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault. > Initial commit of the patch from the FreeBSD base (with its fixes). > This adds a module (for module-config in unbound.conf) dns64 that > performs DNS64 processing, see README.DNS64.
Thank you, this is a long time anticipated feature. However, I'd like to point out that the implementation is NOT compliant with RFC 6147 when it comes to a query with CD and DO flags: $ dig ipv4only.arpa aaaa @::1 +dnssec +cdflag +noadflag ; <<>> DiG 9.9.5 <<>> ipv4only.arpa aaaa @::1 +dnssec +cdflag +noadflag ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37682 ;; flags: qr rd ra ad cd; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ipv4only.arpa. IN AAAA ;; ANSWER SECTION: ** notice that synthetised records are present ** ipv4only.arpa. 86306 IN AAAA 64:ff9b::c000:aa ipv4only.arpa. 86306 IN AAAA 64:ff9b::c000:ab ;; AUTHORITY SECTION: ** notice that NSEC records are not present ** ipv4only.arpa. 86306 IN NS a.iana-servers.net. ipv4only.arpa. 86306 IN NS b.iana-servers.net. ipv4only.arpa. 86306 IN NS ns.icann.org. ipv4only.arpa. 86306 IN NS c.iana-servers.net. ipv4only.arpa. 86306 IN RRSIG NS 8 2 86400 20141125110729 20141118093346 54055 ipv4only.arpa. eAkkdnmWNJVRBGr62xlhwPYr3O8eTHoB+fwLJHy5PiAAAJj2Av/hJeb5 UjHMakk7nUriLZ0FNlZoP/XWDJbV0SNdjow3AXWrPsO42fVsMGT35Ira Qx+FI3G7mrDBPKgL7jIAZ33DOcqFej9VDAagyvmXi8dknyT0qWkJ/ta2 aKE= ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Út lis 18 13:35:41 CET 2014 ;; MSG SIZE rcvd: 361 That means the DNS64 module will break any attempt to do further DNSSEC validation behind DNS64 resolver making endpoint DNSSEC validation virtually impossible. I think this should be fixed before this module gets any wider adoption. Cheers, Ondřej Caletka
smime.p7s
Description: Elektronicky podpis S/MIME
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
