On Sun, Dec 07, 2014 at 06:04:17PM -0500, Michael Richardson wrote: > I've wanted DNS64 to happen in the host, and given that a number of hosts had > to be fixed to function in IPv6 only environments, a change to include DNS64 > would not be crazy in my opinion, and eliminates much of the end-to-end > DNSSEC-breakage that DNS64 can imply. > > (or to put it another way: when you turn on end-host DNSSEC validation, > and enable DPRIV, you had better provide DNS64 at the same time) For whatever it's worth, my view when we were working on DNS64 was that DNSSEC wasn't really deployed for edge validation yet, so if one had to make a change in something to accommodate DNS64 it would be ok if it was part of the way validation at the edge happened. I think that is still true, and I think therefore that DNS64 at edge hosts is not a terrible idea. Moreover, if the edge device knows about the NAT64, it's in a position to do less stupid stuff itself. Best regards, A -- Andrew Sullivan ajs@xxxxxxxxxxxxxxxxxx