Re: NAT64 and DNSSec

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 29 mrt 2008, at 11:01, marcelo bagnulo wrote:

> > > Do you think it would be possible to impose any form of  
> > > requirement for using DNSSec in the v4 host?

> > Well, for v6->v4 we currently have the synthetic AAAA records. A  
> > translator that doesn't use these is possible in this direction,  
> > and even likely in the v4->v6 direction because we don't have an  
> > existing spec that uses synthetic records for that direction.

> I don't understand this
> Are you saying that we don't have synthetic A records. What about  
> section 4.1. of RFC 2766?

I don't think this is a useful scenario. What happens here is that  
IPv6 addresses are mapped to IPv4 addresses on a temporary basis,  
which makes referral issues (and DNSSEC issues) much harder. It also  
requires a large amount of address space if done in a service provider  
box that serves many customers. I would rather map individual ports on  
a more permanent basis.