On 7/29/2017 10:36 PM, Mikael Abrahamsson wrote: > There is nothing inherently broken with NAT64+DNS64+CLAT (or something > like iOS has with bump-in-the-API). DNS64 assumes that the host uses the network provided DNS server, and that it is OK to forge DNS replies. The first assumption is falsified when the host uses another DNS server, such as provided by a VPN or by DPRIVE. The second assumption is falsified when the host requires DNSSEC. There are of course workarounds, which relies on some smart in the host. And te whole point is to ensure that such workarounds are deployed. -- Christian Huitema