On Dec 4, 2014, at 10:02 PM, George Michaelson <ggm@xxxxxxxxxxxx> wrote: > Hang on.. the deployment of DNSSEC backed applications is a bit iffy if we depend on deployment of DNS based tricks to cover for V4/V6 interoperation surely? DNS64 can be done by the client, in which case DNSSEC validation can be performed _before_ translating the IPv4 address from the A record into an IPv6 address in the NAT64 prefix.