And I can confirm that yesterday I did some testing about this, with the same VMs that I’ve used in the IETF98, and as expected, it worked.
So yes for NAT64 you need DNS64, but if you have a CLAT in the CPE or in the hosts, even if you don’t use DNS64, everything works fine, so DNSSEC is not broken.
The extra overhead of not doing DNS64, is that all the IPv4 traffic is translated twice (at the CLAT – stateless NAT46 and at the statefull NAT64) vs translating only the IPv4 traffic that uses literals (when you use DNS64).
With NAT64 + DNS64 and 464XLAT (CLAT)
1) IPv6 app <-> IPv6 server (no translation)
2) IPv4/IPv6 app (DNS64) <-> IPv4 server (NAT64 translation) ----> breaks DNSSEC
3) IPv4 app (NAT46 - CLAT) <-> IPv4 server (NAT64 translation)
Without the DNS64
1) IPv6 app <-> IPv6 server (no translation)
2) IPv4/IPv6 app (NAT46 - CLAT) <-> IPv4 server (NAT64 translation)
3) IPv4 app (NAT46 - CLAT) <-> IPv4 server (NAT64 translation)
Already working in a new ID with operational recommendations about this, which can be used in the IETF network as well.
Regards,
Jordi
-----Mensaje original-----
De: ietf <ietf-bounces@xxxxxxxx> en nombre de <mohamed.boucadair@xxxxxxxxxx>
Responder a: <mohamed.boucadair@xxxxxxxxxx>
Fecha: jueves, 3 de agosto de 2017, 7:45
Para: Christian Huitema <huitema@xxxxxxxxxxx>, "ietf@xxxxxxxx" <ietf@xxxxxxxx>
Asunto: RE: Incremental Deployment of CLAT on the router for IETF Meetings
Christian,
I will focus on this part of your message:
"So, if we could demonstrate that DNS64 is not
needed for transition, that would be great."
Actually, we don't need to demonstrate that given that NAT64 specification does not make any assumption how IPv4-converted IPv6 addresses are formed. We hoped this was clarified in RFC6889.
But if you need a concrete example, there are deployments in which DNS64 is not used to synthesize addresses. You can refer to this prez:
https://www.youtube.com/watch?v=o2_7By2EgSY (1mn30)
Cheers,
Med
> -----Message d'origine-----
> De : ietf [mailto:ietf-bounces@xxxxxxxx] De la part de Christian Huitema
> Envoyé : mercredi 2 août 2017 17:04
> À : ietf@xxxxxxxx
> Objet : Re: Incremental Deployment of CLAT on the router for IETF Meetings
>
>
>
> On 8/2/2017 7:51 AM, JORDI PALET MARTINEZ wrote:
> > Then I guess we fully agree, and I believe I was the first one reminding
> that our network is a production one …
> >
> > As we already had a NAT64 SSID for some time, the right step for IETF100
> will be then to have a CLAT SSID, so it can be tested by those folks that
> want to test it.
> >
> > I’m happy to help the NOC team to do that if they need help.
> >
> > Regards,
> > Jordi
>
> That would be good, especially if the CLAT network did NOT include any
> DNS64 function. There is a growing suspicion that hacking the DNS in the
> name of IPv6 transition was a really bad idea. we have heard it many
> times -- breaking DNSSEC, not working with VPN, or Netflix, or Skype.
> Also, we know that a large fraction of DNS query are served by Google
> DNS and other global providers, which means that the DNS64 hacking
> server will not see them. So, if we could demonstrate that DNS64 is not
> needed for transition, that would be great.
>
> -- Christian Huitema
>
>
> --
> Christian Huitema
>
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.