filter-a and dns64 in a ipv6-only network

Mark Andrews marka at isc.org
Tue Jan 31 22:01:45 UTC 2023 


> On 1 Feb 2023, at 05:52, Thomas Schäfer <tschaefer at t-online.de> wrote:
> 
> Am Montag, 30. Januar 2023, 23:12:53 CET schrieb Mark Andrews:
>> Do you want a correctly operating DNS64 server or do you want to filter
>> all A records?  They are mutually exclusive requirements.  Please read
>> RFC 6147 to understand why they are mutually exclusive.
> 
> That's simply not true. RFC 6147 is about synthesizing AAAA records based on A 
> records. It says nothing about blocking A records afterwards.

Then pray tell how does section 5.5. "DNSSEC Processing: DNS64 in Validating
Resolver Mode” work if the server does not return A records?  As I said DNS64
and filtering A records are mutually exclusive.  There is down stream stuff
that needs to see the records to make their own AAAA records.  B.T.W. That
section is not really compatible with DNSSEC.  It works in some circumstances
but will fail in other as a validating DNSSEC client needs to ask both CD=0
and CD=1 questions. I tried hard to point out that DNS64 was incompatible with
DNSSEC while it was still in draft form.

>> You seem to have this strange notion that to run an IPv6-only node or
>> network that you need to filter out A records. 
> 
> It isn't  more strange than filtering AAAA records in old IPv4 only networks. 
> That filter is ironically implemented by the isc - despite there is no serious 
> RFC for that. 
> The purpose of the A record filter is to correct the behavior of apps which 
> don't respect IPv6 RFCs regarding the preference of IPv6 over IPv4.


>> Could you tell me who or
>> what told you this was required?
> 
> Thank you for the personal attack within the first contact.

Firstly I wanted to correct the source of the misinformation.  I’m sorry if you
perceived it as an attack.

>  I am old (enough) 
> -  I can speak for myself. 
> I am an experienced user of different IPv6 only networks. 
> e.g
> daily at eduroam-IPv6only,  a big Wifi network administrated by the Leibniz 
> Supercomputinger Centre in Munich, 
> daily at the IPv6-only mobile network(4g/5g) by Deutsche Telekom, 
> once a year at the RIPE conference WiFi
> I am the admin of my home/test lab with: tayga, jool, unbound (filters a, does 
> dns64) , dnsmasq (can filter a, but can't do dns64 )

Just because something does something doesn’t make it a good thing.

> I know that clat is a solution for *some* very old apps, usually on 
> smartphones and recently also on macs.
> Nevertheless Windows doesn't use clat in wireless/wired LANs.
> I want to get rid of clat - aka 464xlat. ( clat was not invented for eternity)
> Even linux has no default clat installation on many distributions. 

On Windows you can manually configure an IPv4 in IPv6 tunnel and use it to
talk to a DS-Lite AFTR element (RFC 6333) if it doesn’t do it automatically.
I don’t use Windows normally so I don’t know whether it has support to look
for the IPv6 DHCPv6 option to automatically configure the tunnel.  You can
do the same with a Mac and Linux boxes.

> My experience until now: the a record filter doesn't break anything, but it 
> make some apps working  without clat - so at least some windows and linux 
> apps.

Well now you have learnt that it does break DNS64.

> Now I am testing the usefulness of bind. In the recent state it isn't useful.
> 
> Regards 
> Thomas Schäfer

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list