DNS 64 and the new domain ipv4only.arpa

Mark Andrews marka at isc.org
Mon Oct 21 13:47:38 UTC 2013 

In message <20131021123504.GA20699 at nic.fr>, Stephane Bortzmeyer writes:
> I try to understand DNS64 and there is a problem I don't get. I have
> BIND configured with:
> 
>         dns64 2001:db8:1:64::/96 { // Network-Specific Prefix
>               clients { me; };
>         };
> 
> and it works, synthesis happens when the domain name has no AAAA records:
> 
> %  dig +cd @localhost -p 9053 AAAA twitter.com   
> ...
> ;; ANSWER SECTION:
> twitter.com.		30 IN AAAA 2001:db8:1:64::c710:9c66
> twitter.com.		30 IN AAAA 2001:db8:1:64::c710:9cc6
> twitter.com.		30 IN AAAA 2001:db8:1:64::c710:9c06
> 
> I try it now on the new ipv4only.arpa, which has only A and not AAAA
> and nothing happens:
> 
> % dig +cd @localhost -p 9053 AAAA ipv4only.arpa
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +cd @localhost -p 9053 AAAA ipv4on
> ly.arpa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62138
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;ipv4only.arpa.		IN AAAA
> 
> ;; AUTHORITY SECTION:
> ipv4only.arpa.		3038 IN	SOA sns.dns.icann.org. noc.dns.ican
> n.org. (
> 				2013053904 ; serial
> 				7200       ; refresh (2 hours)
> 				3600       ; retry (1 hour)
> 				604800     ; expire (1 week)
> 				3600       ; minimum (1 hour)
> 				)
> ipv4only.arpa.		3038 IN	RRSIG SOA 8 2 3600 20131028181436 (
> 				20131021083223 33820 ipv4only.arpa.
> 				GEbCQfPa1q8e0qaQTT5S1yrmfRp3Vx+lueUB+i846fC
> l
> 				/5J3mbew8PI2LMd7stndYwPARIDWjapyzyFk5de6/Yx
> 9
> 				Nyxn0AOVr9wRnRPy14FCH0P05EQFYzklOkC5Fjzn/B+
> B
> 				z4ngG4hM3RfAkckhj0zZ5zMhiYbxucOK/U8T398= )
> ipv4only.arpa.		3038 IN	RRSIG NSEC 8 2 3600 20131028191728 
> (
> 				20131021083223 33820 ipv4only.arpa.
> 				Id6eQDjnvBhqoZSOBsNKywa0yAEiaGmyakGFLG3Mc2/
> h
> 				lmjAPylP9fDdBORpdgnbV0AMt5JzzzIblDTsfs9sbKb
> y
> 				cCRHkE+Vhchu/NnChM+xslJ15daNNLgYUQHd5xwvdzg
> P
> 				OdpknW9kyfpjR4Cj3dixxfFhrsFFNvZo2FOyTW0= )
> ipv4only.arpa.		3038 IN	NSEC ipv4only.arpa. A NS SOA TXT RR
> SIG NSEC DNSKEY
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#9053(127.0.0.1)
> ;; WHEN: Mon Oct 21 14:33:52 2013
> ;; MSG SIZE  rcvd: 481
> 
> What did I miss?

They signed it and you have do=1 set in the query.  Named won't lie
to you if you can verify the answer unless you override the defaults.
DNS64 and DNSSEC are incompatible with each other.  To have it work
with a signed zone and do=1 you need to tell named to break dnssec.

	dns64 {
		clients { me; };
		break-dnssec yes;
	};

Mark
 
> BIND 9.9.4
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
> ribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list