On Sun, Dec 07, 2014 at 06:04:17PM -0500, Michael Richardson wrote:
I've wanted DNS64 to happen in the host, and given that a number of hosts had
to be fixed to function in IPv6 only environments, a change to include DNS64
would not be crazy in my opinion, and eliminates much of the end-to-end
DNSSEC-breakage that DNS64 can imply.
(or to put it another way: when you turn on end-host DNSSEC validation,
and enable DPRIV, you had better provide DNS64 at the same time)
For whatever it's worth, my view when we were working on DNS64 was
that DNSSEC wasn't really deployed for edge validation yet, so if one
had to make a change in something to accommodate DNS64 it would be ok
if it was part of the way validation at the edge happened. I think
that is still true, and I think therefore that DNS64 at edge hosts is
not a terrible idea. Moreover, if the edge device knows about the
NAT64, it's in a position to do less stupid stuff itself.
Best regards,
A
--
Andrew Sullivan
ajs(_at_)anvilwalrusden(_dot_)com