On 25 jul 2008, at 13:22, Thomas Narten wrote:
DNSSEC is about e2e security. The recipient of the data (the DNS querier), using DNSSEC, is able to verify that the data has not been modified. This is no longer true in the solution outline you proposed above.
I assume you mean NAT64/DNS64.Actually it works as designed: someone in the middle changes the DNS records and the DNS records no longer validate.
If you want to use DNSSEC and NAT64 together, either DNSSEC or DNS64 must be changed to be aware of the other. Yes, this is inconvenient but then again, not being able to connect to the 99% of the internet that's still on IPv4 when your ISP can't give you an IPv4 address anymore is also quite inconvenient.