I don't see a need to require something that we can't support, i.e. DNSSEC.that is exactly the point for this discussion, figure out if we can support it somehow, and then require it :-) As i mentioned in the mail to George, it may be possible to make a mechanism that works with legacy hosts without DNSSEc but that upgraded hosts can perform DNSSec validation. That would leave the door open to restore DNSSec fucntionality if hosts are upgraded,. I think this is a reasonable tradeoff, don't you think so?
=> Sorry my comment was not clear. I meant that we won't be able to get e2e DNSSEC in all cases. I guess you're trying to work out the most graceful way of handling that, which is fine with me. I'd just call that DNSSEC "handling" rather than support, but it's just wording. I understand what you're trying to do now.
(however, i am not sure this is possible in the v4 side though)well, i am preparing a thread on IPSec, so we can continue this discussion there :-)With NAT64 other IETF security protocols will not work anyway,
=> Sure but it's not just IPsec, it's also app-level security for those apps transferring addresses (other than the DNS of course).
Hesham