filter-a and dns64 in a ipv6-only network
Thomas Schäfer
tschaefer at t-online.de
Wed Feb 1 12:33:56 UTC 2023
Thank you for your answers.
Of course dns64 breaks dnssec, like any other manipulation of dns
resource records.
But it doesn't mean that filtering A records breaks dns64, it still only
breaks dnssec.
So filtering A records and dnssec is mutually exclusive.
I know almost all popular dual stack methods.
e.g. pure dual stack ( at work since 2005)
ds-lite ( very common in Germany for private users, personally
since 2018)
464xlat - used here at mobile by DTAG and WiFi at work
After two decades of dual stack my approach is to see an end of the
migration. That means single stack IPv6.
One element of it is DNS64 with NAT64.
Another element maybe filtering A records, so clat can be removed. (
clat was originally invented for very very old ip stacks/apps - 10 years
ago)
Other people have recently introduced a third way between dual stack and
ipv6 only called "ipv6 mostly"( RFC 8925)
That is two steps forward and one backward.
Nevertheless the goal is: IPv6 single stack.
I have learned bind/isc is not willing to support such (test) scenarios.
Thanks for the conversation.
Thomas
More information about the bind-users
mailing list