In message <30708801-142F-47C5-A154-15E9D3C5068D@xxxxxxxxx>, Ted Lemon writes: > > On Aug 1, 2017, at 1:57 PM, Ted Lemon <mellon@xxxxxxxxx> wrote: > > What she doesn't mention is that there is a way to detect DNS64, so in > principle a validating stub resolver can do DNS64 itself _post > validation_. > > Oops, actually she did mention that in the last paragraphâ??sorry! You have to detect it and work around it. NAT64 start out with the claim "You don't have to touch the node". Now you have complicated CLAT and DNSSEC changes required in every node in the internet to support NAT64 with more breakage than simple tunneling and a NAT44 protocol translation in DS-Lite. What's the next workaround that will have to be deployed because NAT64 is being used instead of NAT44 at the end of the tunnel? CLAT and DNSSEC changes are required on every node as they will end up on IPv6-only networks. DS-Lite also requires changes on every node on IPv6-only networks but they are much less intrusive. We have created Frankenstein's monster here with NAT64. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx