> On 1 Aug 2017, at 16:08, Ted Lemon <mellon@xxxxxxxxx> wrote: > > On Aug 1, 2017, at 10:58 AM, Mark Andrews <marka@xxxxxxx> wrote: >> Requires EVERY DNSSEC validator on the planet to learn about DNS64. > > Just to be clear, every DNSSEC validator on the planet also had to learn about DNSSEC, so it's probably worth explaining why this is a problem: the problem is not that we'd have to update every DNSSEC validator, but rather that this makes DNSSEC validators more complicated, and that potentially comes with problems, and that code will just be extra most of the time, perhaps. > > Although in practice I suspect that as time goes on and more providers adopt IPv6, there will come a time when NAT64 will be very much the most economical solution to dealing with the long tail of small IPv4 service providers. And I think if you impose functional separation between validation and translation, you don't create a serious risk. > > But I think the point you make is valid, and I don't claim to be authoritative on the topic of how risky this is. Apologies if it was already mentioned, but this was a good read: https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/ Tim