Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> wrote:
> The point of DNS64 is to provide a mechanism that makes it easy to turn on
> IPv6 today. All the client needs is a connection to a DNS router that
> supports DNS64.
You worded that wrong.
DNS64 lets people turn off IPv4 (and/or avoid NAT4*4).
> Because of network circumstances a client using DNS64 is almost certainly
> going to need to use DPRIV for access simply because port 53 has been
> sabotaged so thoroughly. So we are going to have to trust the DPRIV
> resolver to level 1 at minimum
That's an interesting observation: can you elaborate on the sabotage?
I think I know, but I'd rather you were more clear about this.
I've wanted DNS64 to happen in the host, and given that a number of hosts had
to be fixed to function in IPv6 only environments, a change to include DNS64
would not be crazy in my opinion, and eliminates much of the end-to-end
DNSSEC-breakage that DNS64 can imply.
(or to put it another way: when you turn on end-host DNSSEC validation,
and enable DPRIV, you had better provide DNS64 at the same time)
--
Michael Richardson <mcr+IETF(_at_)sandelman(_dot_)ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
pgp6xS7Hre84c.pgp
Description: PGP signature