<?xml version="1.0"encoding="utf-8"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- Check output with <http://tools.ietf.org/tools/idnits/> --> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.35) --> <!-- give errors regarding ID-nits and DTD validation --> <?rfc strict="yes" ?> <!-- control the table of contents (ToC) --> <!-- generate a ToC --> <?rfc toc="yes"?> <!-- the number of levels of subsections in ToC. default: 3 --> <?rfc tocdepth="1"?> <!-- control references --> <!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1] --> <?rfc symrefs="yes"?> <!-- sort the reference entries alphabetically --> <?rfc sortrefs="no" ?> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <!-- do not start each main section on a new page --> <?rfc compact="yes" ?> <!-- keep one blank line between list items --> <?rfc subcompact="no" ?> <!-- encourage use of "xml2rfc" tool --> <?rfc rfcprocack="yes" ?> <!-- end of list of popular I-D processing instructions -->"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-cheshire-sudn-ipv4only-dot-arpa-17" number="8880" ipr="trust200902"updates="7050">updates="7050" obsoletes="" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="false" version="3"> <front> <title abbrev="Special Name ipv4only.arpa">Special Use Domain Name 'ipv4only.arpa'</title> <seriesInfo name="RFC" value="8880"/> <authorinitials='S.' surname='Cheshire' fullname='Stuart Cheshire'>initials="S." surname="Cheshire" fullname="Stuart Cheshire"> <organization>Apple Inc.</organization> <address> <postal> <street>One Apple Park Way</street> <city>Cupertino</city> <region>California</region> <code>95014</code><country>USA</country><country>United States of America</country> </postal> <phone>+1 (408) 996-1010</phone> <email>cheshire@apple.com</email> </address> </author> <authorfullname='David Schinazi' surname='Schinazi' initials='D.'>fullname="David Schinazi" surname="Schinazi" initials="D."> <organization>Google LLC</organization> <address> <postal> <street>1600 Amphitheatre Parkway</street> <city>Mountain View</city> <region>California</region> <code>94043</code><country>USA</country><country>United States of America</country> </postal> <email>dschinazi.ietf@gmail.com</email> </address> </author> <dateday='19' month='March' year='2020'/>month="August" year="2020"/> <keyword>IPv6</keyword> <keyword>NAT64</keyword> <keyword>DNS64</keyword> <abstract> <t>NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.</t> <t>The specification for how a client discovers its local network's NAT64 prefix(RFC7050)(RFC 7050) defines the special name 'ipv4only.arpa' for thispurpose, butpurpose. However, in its Domain Name Reservation Considerations section (Section 8.1), that specification (RFC 7050) indicates that the name actually has no particularly special properties that would require specialhandling, and does not request IANA to record the name in the Special-Use Domain Names registry.</t>handling.</t> <t>Consequently, despite thewell articulatedwell-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry as a name with special properties.</t> <t>This document updates RFC 7050. It describes the special treatmentrequired,required and formally declares the special properties of thename,name. It also adds similar declarations for the corresponding reverse mappingnames, and updates RFC7050.</t>names.</t> </abstract> </front> <middle><?rfc needLines="22" ?><sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t><xref target="RFC6146" format="default">NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers)</xref> allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.</t> <t><xref target="RFC6147" format="default">DNS64 (DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers)</xref> facilitates use of NAT64 by clients by generating synthesized IPv6 addresses for IPv4 servers that have no IPv6 address of their own, or by communicating the local network's NAT64 prefix to clients so that they can perform the IPv6 address synthesis themselves.</t> <t>The specification for <xreftarget="RFC7050">howtarget="RFC7050" format="default">how a client discovers its local network's NAT64 prefix</xref> defines the special name 'ipv4only.arpa' for this purpose, but in its Domain Name Reservation Considerations section (Section 8.1), that specification <xref target="RFC7050"/> indicates that the name actually has no particularly special properties that would require specialhandling,handling and does not request IANA to record the name in the <xreftarget="SUDN">Special-Usetarget="SUDN" format="default">Special-Use Domain Names registry</xref>.</t> <t>Consequently, despite thewell articulatedwell-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the <xreftarget="SUDN">Special-Usetarget="SUDN" format="default">Special-Use Domain Names registry</xref> as a name with special properties.</t> <t>This omission was discussed in the document <xreftarget="RFC8244">the Special-Usetarget="RFC8244" format="default">"Special-Use Domain Names ProblemStatement</xref>.</t> <?rfc needLines="24" ?>Statement"</xref>.</t> <t>As a result of this omission, in cases where software needs to give this name special treatment in order for it to work correctly, there was no clear mandate authorizing software authors to implement that special treatment. Software implementers were left with the choice between not implementing the special behavior necessary for the name queries to workcorrectly,correctly or implementing the special behavior and being accused of being noncompliant withsome RFC.</t>IETF DNS specifications.</t> <t>This document describes the special treatment required, formally declares the special properties of the name, and adds similar declarations for the corresponding reverse mapping names.</t> <section anchor="terminology"title="Conventionsnumbered="true" toc="default"> <name>Conventions andTerminology"> <t>TheTerminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace />"<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted asdescribed<vspace />described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appearin<vspace />in all capitals, as shownhere.</t>here. </t> </section> </section> <sectiontitle="Specialness of 'ipv4only.arpa'">numbered="true" toc="default"> <name>Reasons to Declare 'ipv4only.arpa' as Special</name> <t>The hostname 'ipv4only.arpa' is peculiar in that it was never intended to be treated like a normal hostname.</t> <t>A typical client never has any reason to look up the IPv4 address records for'ipv4only.arpa'. No'ipv4only.arpa': no normal user is ever trying to view aweb sitewebsite hosted at that domainname,name or trying to send email to an email address at that domain name. The name 'ipv4only.arpa' is already known, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, to have exactly two IPv4 addressrecords,records: 192.0.0.170 and 192.0.0.171. No client ever has to look up the name in order to learn those two addresses.</t> <t>In contrast, clients often look up the IPv6 AAAA address records for 'ipv4only.arpa', which is contrary to general DNS expectations, given that it is already known, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, that 'ipv4only.arpa' is an IPv4-only name,whichand it has no IPv6 AAAA address records. And yet, clients expect to receive, and do in fact receive, positive answers for these IPv6 AAAA address records that apparently should not exist.</t><?rfc needLines="3" ?><t>This odd querybehaviourbehavior comes not because clients are using DNS to learn legitimate answers from the name's legitimate authoritativeserver. Instead,server, but because the DNS protocol has, in effect, been co-opted as an improvised client-to-middlebox communicationprotocol,protocol to look for a DNS64/NAT64 <xreftarget="RFC6146"/>target="RFC6147" format="default"/> <xreftarget="RFC6147"/>target="RFC6146" format="default"/> gateway and, if one is present, to request that it disclose the prefix it is using for IPv6 address synthesis.</t> <t>This use of specially crafted DNS queries as an improvised client-to-middlebox communication protocol has a number of specific consequences, outlined below, which client software needs to take into account if the queries are to produce the desiredresults,results. This is particularly true when used on amulti-homed host,multihomed host or when a VPN tunnel is in use. The name 'ipv4only.arpa' is most definitely a specialname,name and needs to be listed in IANA's registry along with <xreftarget="SUDN">othertarget="SUDN" format="default">other DNS names that have special uses</xref>.</t><?rfc needLines="4" ?></section> <sectiontitle="Consequencesnumbered="true" toc="default"> <name>Consequences of 'ipv4only.arpa'not being declared special">Not Being Declared Special</name> <t>As a result of <xreftarget="RFC7050">thetarget="RFC7050" format="default">the original specification</xref> not formally declaring 'ipv4only.arpa' to have special properties, there was no clear mandate for DNS software to treat this name specially. In particular, this lack of mandate for special treatment is relevant (a) to the name resolution APIs and libraries on clientdevices,devices and (b) to DNS64 <xreftarget="RFC6147"/>target="RFC6147" format="default"/> implementations. These two aspects are discussed in more detail below.</t> <sectiontitle="Consequencesnumbered="true" toc="default"> <name>Consequences for Name Resolution APIs andLibraries">Libraries</name> <t>A serious problem can occur with DNS64/NAT64 when a device is configured to use a recursive resolver other than the one it learned from the network.</t> <t>A device joining a NAT64 network will learn the recursive resolver recommended for that network, typically via <xreftarget="RFC8106">IPv6target="RFC8106" format="default">IPv6 Router AdvertisementOptions for DNS Configuration</xref>Options</xref> or via <xreftarget="RFC3646">DNS Configuration options for DHCPv6</xref>.target="RFC3646" format="default">DHCPv6</xref>. On a NAT64networknetwork, it is essential that the client use the DNS64 recursive resolver recommended for that network, since only that recursive resolver can be relied upon to know the appropriate prefix(es) to use for synthesizing IPv6 addresses that will be acceptable to that NAT64 gateway.</t> <t>However, it is becoming increasingly common for users to manually override their default DNS configuration because they wish to use some other public recursive resolver on the Internet, which may offer better speed,betterreliability, orbetterprivacy than the local network's default recursive resolver. At the time of writing, examples of widely known public recursive resolver services include <xreftarget="DNS1">Cloudflaretarget="DNS1" format="default">Cloudflare Public DNS</xref>, <xreftarget="DNS8">Googletarget="DNS8" format="default">Google Public DNS</xref>, and <xreftarget="DNS9">Quad9</xref>.</t>target="DNS9" format="default">Quad9</xref>.</t> <t>Another common scenario is the use of corporate or personal VPN client software. Both for privacyreasons,reasons andalsobecause the local network's recursive resolver will typically be unable to provide answers for the company's private internal host names,soVPN client software usually overrides the local network's defaultconfiguration,configuration to divert some or all DNS requests so that they go to the company's own private internal recursiveresolver,resolver instead of to the default recursive resolver the client learned from its local network. (The company's own private internal recursive resolvers typically have addresses that are themselves reached through the VPNtunnel.tunnel, not via the public Internet.) As with the case described above of public recursive resolver services, the company's private internal recursive resolver cannot be expected to be able to synthesize IPv6 addresses correctly for use with the local network's NAT64 gateway, because the company's private internal recursive resolver is unlikely to be aware of the NAT64 prefix in use on the NAT64 network to which the client device is currently attached. It is clear that a single recursive resolver cannot meet both needs. The local network's recursive resolver cannot be expected to give answers for some unknown company's private internal host names, andsomea company's private internal recursive resolver cannot be expected to give correctly synthesized IPv6 addresses suitable forthesome unknown local network's NAT64 gateway.</t> <t>Note that multiple NAT64 services may be simultaneously available to a client. For example, the local network may provide NAT64 service (to allowaan IPv6-only client device to access IPv4-only Internet services), while at the sametimetime, a corporate VPN may also provide NAT64 service (to allow a client connecting via an IPv6-only VPN tunnel to access IPv4-only corporate services). The NAT64 address synthesis prefixes for the two NAT64 services may be different. In thiscasecase, it is essential that the NAT64 address synthesis prefix used on the local network be the prefix learned from the local network's recursive resolver, and the NAT64 address synthesis prefix used on the VPN tunnel be the prefix learned from the VPN tunnel's recursive resolver.</t> <t>Theconflictdifficulty here arises because DNS is being used for two unrelated purposes. The first purpose is retrieving data from a (nominally) globaldatabase --database, generally retrieving the IP address(es) associated with a hostname. The second purpose is using the DNS protocol as a middlebox communication protocol, to interrogate the local network infrastructure to discover the IPv6 prefix(es) in use by the local NAT64 gateway for address synthesis.</t> </section> <sectiontitle="Consequencesnumbered="true" toc="default"> <name>Consequences for DNS64Implementations">Implementations</name> <t>As a result of there being no mandate for special treatment, queries for 'ipv4only.arpa' had to be handled normally, resulting in DNS64 gateways performing unnecessary queries to the authoritative 'arpa' name servers, both unnecessary IPv6 address record queries (DNS qtype "AAAA", always returning negative responses) and unnecessary IPv4 address record queries (DNS qtype "A", always returning the same positiveresponses) to the authoritative 'arpa' name servers.</t>responses).</t> <t>Having DNS64 gateways around the world issue these queries generated additional load on the authoritative 'arpa' name servers, which was redundant when the name 'ipv4only.arpa' is defined, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, to have exactly two IPv4 address records, 192.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address records.</t> <t>Also, at times, for reasons that remain unclear, the authoritative 'arpa' name servers have been observed to be slow or unresponsive. The failures of these 'ipv4only.arpa' queries result in unnecessary failures of the DNS64 gateways and of the client devices that depend on them for <xreftarget="RFC6147">DNS64</xref>target="RFC6147" format="default">DNS64</xref> address synthesis.</t> <t>Even when the authoritative 'arpa' name servers are operating correctly, having to perform an unnecessary query to obtain an answer that is already known in advance can add precious milliseconds of delay, affecting user experience on the client devices waiting for those synthesized replies.</t> </section> </section> <sectiontitle="Remedies">numbered="true" toc="default"> <name>Remedies</name> <t>This document leverages operational experience to update the <xreftarget="RFC6761">Domaintarget="RFC6761" format="default">Domain Name ReservationConsiderations</xref> sectionConsiderations section</xref> of <xreftarget="RFC7050">thetarget="RFC7050" format="default">the earlier prefix discovery specification</xref> with one that more accurately lists the actual special properties of the name 'ipv4only.arpa', so that software can legitimately implement the correct behavior necessary for better performance, better reliability, and correct operation.</t> <t>These changes affect two bodies ofsoftware,software: (a) the name resolution APIs and libraries on client devices, and (b) DNS64 implementations.</t> <t>The new special rules specified in this document for name resolution APIs and libraries state how they should select which recursive resolver to query to learn the IPv6 address synthesis prefix in use on a particular physical or virtual interface.Specifically: WhenSpecifically, when querying for the name 'ipv4only.arpa', name resolution APIs and libraries should use the recursive resolver recommended by the network for the interface inquestion,question rather than a recursive resolver configured manually, a recursive resolver configured by VPN software, or a full-service recursive resolver running on the local host.SuperficiallySuperficially, this might seem like a security issue, since the user might have explicitly configured the particular DNS resolver they wish to use, and rather than using that, the name resolution code ignores the user's stated preference and uses untrusted input received from the network instead. However, the 'ipv4only.arpa' query is not really a DNS query in the usual sense; even though it may look like a DNS query, it is actually an improvised client-to-middlebox communication protocol in disguise. For NAT64 to work at all, it is necessary for the interface on which NAT64 translation is being performed to tell the host the address of the DNS64 recursive resolver the host must use to learn the NAT64 prefix being used by that NAT64. This is typically done via <xreftarget="RFC8106">IPv6target="RFC8106" format="default">IPv6 Router Advertisement Options for DNS Configuration</xref> or via <xreftarget="RFC3646">DNStarget="RFC3646" format="default">DNS Configuration options for DHCPv6</xref>. </t> <t>The new special rules specified in this document for DNS64 implementations recommend that they avoid performing run-time network queries for values that are known to be fixed by specification.</t> <t>A useful property of the way <xreftarget="RFC7050">NAT64target="RFC7050" format="default">NAT64 Prefix Discovery</xref> was originally specified was that it allowed for incremental deployment. Even if existing DNS64 gateways, that were unaware of the special 'ipv4only.arpa' name, were already deployed, once IANA created the appropriate 'ipv4only.arpa' records, clients could begin to use the new facility immediately. <!-- show stuart what we did with the commas.--> Clients could send their special queries for 'ipv4only.arpa' to an ipv4only-unaware DNS64 gateway,andand, as a side effect of its usual query processing (after a query toIANA's servers)IANA’s servers), the DNS64 gateway would then generate the correct synthesizedresponse.</t>response. </t> <t>While this was a useful transition strategy to enable rapid adoption, it is not the ideal end situation. For better performance, better reliability, and lower load in IANA's servers, it is preferable for DNS64 gateways to be aware of the special 'ipv4only.arpa' name so that they can avoid issuing unnecessary queries. Network operators who wish to provide reliable,high performancehigh-performance service to their customers are motivated to prefer DNS64 gateways that recognize the special 'ipv4only.arpa' name and apply the appropriate optimizations.</t> </section> <sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>One of the known concerns with DNS64 is that it conflicts with DNSSEC. If DNSSEC is used to assert cryptographically that a name has no IPv6 AAAA records, then this interferes with using DNS64 address synthesis toasserttell a client that those nonexistent IPv6 AAAA records do exist.</t><t>Section 3 of the <xref target="RFC6147">DNS64<t><xref target="RFC6147" sectionFormat="of" section="3">the DNS64 specification</xref> discusses this:<figure><artwork></t> <blockquote> ... DNS64 receives a query with the DO bit set and the CD bit set. In this case, the DNS64 is supposed to pass on all the data it gets to the query initiator. This case will not work with DNS64, unless the validating resolver is prepared to do DNS64itself.</artwork></figure></t>itself. </blockquote> <t>The <xreftarget="RFC7050">NAT64target="RFC7050" format="default">NAT64 Prefix Discovery specification</xref> provides the mechanism for the query initiator to learn the NAT64 prefix so that it can do its own validation and DNS64 synthesis as described above. With thismechanismmechanism, the client can (i) interrogate the local DNS64/NAT64 gatewaywith(with an 'ipv4only.arpa'queryquery) to learn the IPv6 address synthesis prefix, (ii) query for the (signed) IPv4 address recordsitself,for the desired hostname and validate the response, and then (iii) perform its own IPv6 address synthesis locally, combining the IPv6 address synthesis prefix learned from the local DNS64/NAT64 gateway with the validated DNSSEC-signed data learned from the global Domain Name System.</t> <t>It is conceivablethatthat, over time, if DNSSEC adoption continues to grow, the majority of clients could move to this validate-and-synthesize-locally model, which reduces the DNS64 machinery to the vestigial role of simply responding to the 'ipv4only.arpa' query to report the local IPv6 address synthesis prefix. At the time of publication, network operators have been observed "in the wild" deploying NAT64 service with DNS recursive resolvers that reply to 'ipv4only.arpa' queries but otherwise perform no other NAT64 address synthesis. In no case does the client care what answer(s) the authoritative 'arpa' name servers might give for that query. The 'ipv4only.arpa' query is being used purely as a local client-to-middlebox communication message.</t> <t>This validate-and-synthesize-locally approach is even more attractive if it does not create an additional dependency on the authoritative 'arpa' name servers to answer a query that is unnecessary because the DNS64/NAT64 gateway already knows the answer before it even issues the query. Avoiding this unnecessary query improves performance and reliability for theclient,client and reduces unnecessary load for the authoritative 'arpa' name servers.</t><t>Hard-coding<t>Hardcoding the known answers for 'ipv4only.arpa' IPv4 address record queries (DNS qtype "A") in recursive resolvers also reduces the risk of malicious devices intercepting those queries and returning incorrect answers. Because the 'ipv4only.arpa' zone has to be an insecure delegation (seebelow)below), DNSSEC cannot be used to protect these answers from tampering by malicious devices on the path.</t> <t>With respect to the question of whether 'ipv4only.arpa' should be a secure or insecure delegation, we need to consider two paths of information flow through thenetwork: Thenetwork:</t> <ol> <li>The path from the server authoritative for 'ipv4only.arpa' to the DNS64 recursiveresolver, and theresolver </li> <li>The path from the DNS64 recursive resolver to the ultimateclient.</t>client </li> </ol> <t>The path from the authoritative server to the DNS64 recursive resolver (queries for IPv4 address records) need not be protected by DNSSEC, because the DNS64 recursive resolver already knows, by specification, what the answers are. In principle, if this were a secure delegation, and 'ipv4only.arpa' were a signed zone, then the path from the authoritative server to the DNS64 recursive resolver would still work, but DNSSEC is not necessary here. Run-time cryptographic signatures are not needed to verify compile-time constants. Validating the signatures could only serve to introduce potential failures into the system for minimal benefit.</t> <t>The path from the DNS64 recursive resolver to the ultimate client (queries for IPv6 address records) *cannot* be protected byDNSSEC,DNSSEC because the DNS64 recursive resolver is synthesizing IPv6 addressanswers,answers and does not possess the DNSSEC secret key required to sign those answers.</t> <t>Consequently, the 'ipv4only.arpa' zoneMUST<bcp14>MUST</bcp14> be an insecuredelegation,delegation to give DNS64/NAT64 gateways the freedom to synthesize answers to those queries at will, without the answers being rejected by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow this specificationMUST NOT<bcp14>MUST NOT</bcp14> attempt to validate answers received in response to queries for the IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name 'ipv4only.arpa' has no use outside of being used for this special DNS pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC security for that name is not a problem. </t> <t>The original <xreftarget="RFC7050">NAT64target="RFC7050" format="default">NAT64 Prefix Discovery specification</xref> stated, incorrectly:<figure><artwork></t> <blockquote> A signed "ipv4only.arpa." allows validating DNS64 servers (see [RFC6147] Section 3, Case 5, for example) to detect malicious AAAA resource records. Therefore, the zone serving the well-known name has to be protected withDNSSEC.</artwork></figure></t>DNSSEC. </blockquote> <t>This document updates <xreftarget="RFC7050">thetarget="RFC7050" format="default">the previous specification</xref> to correct that error. The 'ipv4only.arpa' zoneMUST<bcp14>MUST</bcp14> be an insecure delegation.</t> </section> <sectiontitle="IANA Considerations"> <?rfc subcompact="yes" ?> <t>[Once published] IANAnumbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA has created an insecure delegation for 'ipv4only.arpa' to allow DNS64 recursive resolvers to create synthesized AAAA answers within that zone.</t> <t>IANA has recorded the following names inthe<vspace />the <xreftarget="SUDN">Special-Usetarget="SUDN" format="default">Special-Use Domain Names registry</xref>:<list style='empty'> <t>ipv4only.arpa.</t> <t>170.0.0.192.in&nbhy;addr.arpa.</t> <t>171.0.0.192.in&nbhy;addr.arpa.</t> </list></t> <ul empty="true" spacing="compact"> <li>ipv4only.arpa.</li> <li>170.0.0.192.in&nbhy;addr.arpa.</li> <li>171.0.0.192.in&nbhy;addr.arpa.</li> </ul> <t>IANA has recorded the following IPv4 addresses inthe<vspace />the <xreftarget="SUv4">IPv4target="SUv4" format="default">IANA IPv4 Special-Purpose Address Registry</xref>:<list style='empty'> <t>192.0.0.170</t> <t>192.0.0.171</t> </list></t><?rfc subcompact="no" ?><ul empty="true" spacing="compact"> <li>192.0.0.170</li> <li>192.0.0.171</li> </ul> </section> <sectiontitle="Domainnumbered="true" toc="default"> <name>Domain Name ReservationConsiderations">Considerations</name> <sectiontitle="Specialnumbered="true" toc="default"> <name>Special Use Domain Name'ipv4only.arpa'">'ipv4only.arpa'</name> <t>The name 'ipv4only.arpa' is defined, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, to have two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171.</t> <t>When queried via a <xreftarget="RFC6147">DNS64</xref>target="RFC6147" format="default">DNS64 recursiveresolver,resolver</xref>, the name 'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata synthesized from a combination of the NAT64 IPv6 prefix(es) and the IPv4 addresses 192.0.0.170 and 192.0.0.171. This can return more than one pair of IPv6 addresses if there are multiple NAT64 prefixes.</t> <t>The name 'ipv4only.arpa' has no other IPv4 or IPv6 addressrecords.<vspace />records. There are no subdomains of 'ipv4only.arpa'. All names falling below 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).</t> <t>The name 'ipv4only.arpa' is specialto<vspace /> (a) clientto </t> <ol type="a"> <li>client software wishing to perform DNS64 addresssynthesis,<vspace /> (b) APIssynthesis, </li> <li>APIs responsible for retrieving the correct information,and<vspace /> (c) theand </li> <li>the DNS64 recursive resolver responding to suchrequests.<vspace />requests. </li> </ol> <t> These three considerations are listed in items 2,33, and 4 below:</t><t> <list style="numbers"> <t>Normal<ol spacing="normal" type="1"> <li>Normal users should never have reason to encounter the 'ipv4only.arpa' domain name. If they do, they should expect queries for 'ipv4only.arpa' to result in <xreftarget="RFC7050">thetarget="RFC7050" format="default">the answers required by the specification</xref>. Normal users have no need to know that 'ipv4only.arpa' isspecial.</t> <t>Applicationspecial.</li> <li>Application software may explicitly use the name 'ipv4only.arpa' for DNS64/NAT64 addresssynthesis,synthesis and expect to get <xreftarget="RFC7050">thetarget="RFC7050" format="default">the answers required by the specification</xref>. If application software encounters the name 'ipv4only.arpa' in the normal course of handling user input, the application software should resolve that name as usual and need not treat it in any specialway.</t>way.</li> <li> <t>Name resolution APIs and librariesMUST<bcp14>MUST</bcp14> recognize 'ipv4only.arpa' as special andMUST<bcp14>MUST</bcp14> give it special treatment.<vspace blankLines="1"/></t> <t> Learning a network's NAT64 prefixisis, by itsnaturenature, an interface-specific operation, and the special DNS query used to learn this interface-specific NAT64 prefixMUST<bcp14>MUST</bcp14> be sent to the DNS recursive resolver address(es) the client learned via the configuration machinery for that specific client interface. The NAT64 prefix is a per-interface property, not a per-device property.<vspace blankLines="1"/></t> <t> Regardless of any manual client DNS configuration, DNS overrides configured by VPN client software, or any other mechanisms that influence the choice of the client's recursive resolver address(es) (including client devices that run their own local recursive resolver and use the loopback address as their configured recursive resolveraddress)address), all queries for 'ipv4only.arpa' and any subdomains of that nameMUST<bcp14>MUST</bcp14> be sent to the recursive resolver learned from the network interface in question via <xreftarget="RFC8106">IPv6target="RFC8106" format="default">IPv6 Router Advertisement Options for DNS Configuration</xref>, <xreftarget="RFC3646">DNStarget="RFC3646" format="default">DNS Configuration options for DHCPv6</xref>, or other configuration mechanisms. Because DNS queries for 'ipv4only.arpa' are actually a special middlebox communication protocol, it is essential that they go to the correct middlebox for the interface in question, and failure to honor this requirement would cause failure of the <xreftarget="RFC7050">NAT64target="RFC7050" format="default">NAT64 Prefix Discovery mechanism</xref>.<vspace blankLines="1"/></t> <t> One implication of this is that, onmulti-homedmultihomed devices (devices that allow more than one logical or physical IP interface to be active at the same time, e.g., cellular data and Wi-Fi, or one physical interface plus a VPN connection), clientsMUST<bcp14>MUST</bcp14> use interface-aware name resolution APIs. On different (logical or physical) interfaces, different DNS64 answers may be received, and DNS64 answers are only valid for the interface on which they were received. Onmulti-homedmultihomed devices (including devices that support VPN), name resolution APIs that do not include interface parameters will not work reliably with NAT64. On single-homed devices, interface-unaware name resolution APIs are acceptable since when only one interface can be active at atimetime, there is no need to specify an interface.<vspace blankLines="1"/></t> <t> DNSSEC-capable resolversMUST NOT<bcp14>MUST NOT</bcp14> attempt to validate answers received in response to queries for the IPv6 AAAA address records for'ipv4only.arpa','ipv4only.arpa' since, by definition, any such answers are generated by the local network's DNS64/NAT64 gateway, not the authoritative server responsible for that name. </t><?rfc needLines="5" ?></li> <li> <t>For the purposes of this section, recursive resolvers fall into two categories. The first category is traditional recursive resolvers, which includes *forwarding* recursive resolvers, as commonly implemented in residential home gateways, and *iterative* recursive resolvers, as commonly deployed by ISPs.More information on these terms can be found in <xref target="RFC8499">DNS Terminology</xref>.The second category is DNS64 recursive resolvers, whose purpose is to synthesize IPv6 address records. These may be *forwarding* DNS64 recursive resolvers or *iterative* DNS64 recursive resolvers, and they work in partnership with a companion NAT64 gateway to communicate the appropriate NAT64 address synthesis prefix to clients.<vspace blankLines="1" />More information on these terms can be found in <xref target="RFC8499" format="default">the DNS Terminology document</xref>. </t> <t> Traditional forwarding recursive resolversSHOULD NOT<bcp14>SHOULD NOT</bcp14> recognize 'ipv4only.arpa' as special or give that name, or subdomains of that name, any special treatment. The rationale for this is that a traditional forwarding recursive resolver, such as built in to a residential home gateway, may itself be downstream of a DNS64 recursive resolver. Passing through the 'ipv4only.arpa' queries to the upstream DNS64 recursive resolver will allow the correct NAT64 prefix to be discovered.<vspace blankLines="1" /></t> <t> Traditional iterative recursive resolvers that are not explicitly configured to synthesize IPv6 prefixes on behalf of a companion NAT64 gateway need not recognize 'ipv4only.arpa' as special or take any special action.<vspace blankLines="1" /></t> <t> Forwarding or iterative recursive resolvers that have been explicitly configured to perform DNS64 address synthesis in support of a companion NAT64 gateway(i.e,(i.e., "DNS64 recursive resolvers")MUST<bcp14>MUST</bcp14> recognize 'ipv4only.arpa' as special. The authoritative name servers for 'ipv4only.arpa' cannot be expected to know the local network's NAT64 address synthesis prefix, so consulting the authoritative name servers for IPv6 address records for 'ipv4only.arpa' is futile. All DNS64 recursive resolversMUST<bcp14>MUST</bcp14> recognize 'ipv4only.arpa' (and all of its subdomains) as special, andMUST NOTthey <bcp14>MUST NOT</bcp14> attempt to look up NS records for'ipv4only.arpa','ipv4only.arpa' or otherwise query authoritative name servers in an attempt to resolve this name. Instead, DNS64 recursive resolversMUST<bcp14>MUST</bcp14> act as authoritative for this zone, by generating immediate responses for all queries for 'ipv4only.arpa' (and any subdomain of 'ipv4only.arpa'), with the one exception of queries for the DS record. Queries for the DS record are resolved the usual way to allow a client to securely verify that the 'ipv4only.arpa' zone has an insecure delegation. Note that this exception is not expected to receive widespread usage, since any client compliant with this specification already knows that 'ipv4only.arpa' is an insecure delegation and will not attempt DNSSEC validation for this name.<vspace blankLines="1" /></t> <t> DNS64 recursive resolversMUST<bcp14>MUST</bcp14> generate the 192.0.0.170 and 192.0.0.171 responses for IPv4 address queries (DNS qtype "A"), the appropriate synthesized IPv6 address record responses for IPv6 address queries (DNS qtype "AAAA"), and a negative ("no error no answer") response for all other query types except DS.<vspace blankLines="1" /></t> <t> For all subdomains of 'ipv4only.arpa', DNS64 recursive resolversMUST<bcp14>MUST</bcp14> generate immediate NXDOMAIN responses. All names falling below 'ipv4only.arpa' are defined to be nonexistent.<vspace blankLines="1" /></t> <t> An example configuration for BIND 9 showing how to achieve the desired result is given in <xref target="app-a" format="none">Appendix A</xref>.<vspace blankLines="1" /></t> <t> Note that this is *not* a locally served zone in the usual sense of that term <xreftarget="RFC6303"/>target="RFC6303" format="default"/> because this rule applies *only* to DNS64 recursive resolvers, not to traditional forwardingDNSor iterative recursive resolvers. </t><t>Authoritative</li> <li>Authoritative name server software need not recognize 'ipv4only.arpa' as special or handle it in any specialway.</t> <t>Generallyway.</li> <li>Generally speaking, operators of authoritative name servers need not know anything about the name 'ipv4only.arpa', just as they do not need to know anything about any other names they are not responsible for. Only the administrators of the 'arpa' namespace need to be aware of this name's purpose and how it should be configured. In particular, 'ipv4only.arpa'MUST<bcp14>MUST</bcp14> have the required records, andMUST<bcp14>MUST</bcp14> be an insecure delegation, to allow DNS64 recursive resolvers to create synthesized AAAA answers within that zone. Making the 'ipv4only.arpa' zone a secure delegation would make it impossible for DNS64 recursive resolvers to create synthesized AAAA answers that will be accepted by DNSSEC validating clients, thereby defeating the entire purpose of the 'ipv4only.arpa' name.</t> <t>DNS</li> <li>DNS Registries/Registrars need not know anything about the name 'ipv4only.arpa', just as they do not need to know anything about any other name they are not responsiblefor.</t> </list> </t> <?rfc needLines="25" ?>for.</li> </ol> </section> <sectiontitle="Namesnumbered="true" toc="default"> <name>Names '170.0.0.192.in&nbhy;addr.arpa' and'171.0.0.192.in&nbhy;addr.arpa'">'171.0.0.192.in&nbhy;addr.arpa'</name> <t>Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to be special, and are listed in the <xreftarget="SUv4">IPv4target="SUv4" format="default">IANA IPv4 Special-Purpose Address Registry</xref>, the corresponding reverse mapping names in the in&nbhy;addr.arpa domain are similarly special.</t> <t>The name '170.0.0.192.in&nbhy;addr.arpa' is defined, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t> <t>The name '171.0.0.192.in&nbhy;addr.arpa' is defined, <xreftarget="RFC7050">bytarget="RFC7050" format="default">by IETF specification</xref>, to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t> <t>There are no subdomains of '170.0.0.192.in&nbhy;addr.arpa' or '171.0.0.192.in&nbhy;addr.arpa'. All names falling below these names are defined to be nonexistent (NXDOMAIN).</t> <t>Practicallyspeakingspeaking, these two names are rarely used, but to the extent that they may be, they are special only to resolver APIs and libraries, as described in item 3 below:<list style="numbers"> <t>Normal</t> <ol spacing="normal" type="1"> <li>Normal users should never have reason to encounter these two reverse mapping names. However, if they do, queries for these reverse mapping names should return the expected answer 'ipv4only.arpa'. Normal users have no need to know that these reverse mapping names arespecial.</t>special.</li> <li> <t>Application softwareSHOULD NOT<bcp14>SHOULD NOT</bcp14> recognize these two reverse mapping names asspecial,special andSHOULD NOT<bcp14>SHOULD NOT</bcp14> treat themdifferently.<vspace />differently. For example, if the user were to issue the Unix command"host 192.0.0.170""host 192.0.0.170", then the "host" command should call the name resolution API or library as usual and display the result that is returned.</t> </li> <li> <t>Name resolution APIs and librariesSHOULD<bcp14>SHOULD</bcp14> recognize these two reverse mapping names as special and generate the required responses locally. For the names '170.0.0.192.in&nbhy;addr.arpa' and'171.0.0.192.in&nbhy;addr.arpa''171.0.0.192.in&nbhy;addr.arpa', PTR queries yield the result 'ipv4only.arpa'; all other query types yield a negative ("no error no answer") response. For all subdomains of these two reverse mapping domains, all queries yield an NXDOMAIN response. All names falling below these two reverse mapping domains are defined to be nonexistent.<vspace blankLines="1" /></t> <t> This local self-contained generation of these responses is to avoid placing unnecessary load on the authoritative 'in&nbhy;addr.arpa' name servers.</t><?rfc needLines="12" ?> <t>Recursive</li> <li>Recursive resolversSHOULD NOT<bcp14>SHOULD NOT</bcp14> recognize these two reverse mapping names as special andSHOULD NOT,<bcp14>SHOULD NOT</bcp14>, by default, give them any specialtreatment.</t> <t>Authoritativetreatment.</li> <li>Authoritative name server software need not recognize these two reverse mapping names as special or handle them in any specialway.</t> <t>Generallyway.</li> <li>Generally speaking, most operators of authoritative name servers need not know anything about these two reverse mapping names, just as they do not need to know anything about any other names they are not responsible for. Only the operators of the authoritative name servers for these two reverse mapping names need to be aware that these names are special, and require fixed answers specified by IETFspecification.</t> <t>DNSspecification.</li> <li>DNS Registries/Registrars need not know anything about these two reverse mapping names, just as they do not need to know anything about any other name they are not responsiblefor.</t> </list> </t> <?rfc needLines="27" ?>for.</li> </ol> <sectiontitle="ip6.arpanumbered="true" toc="default"> <name>ip6.arpa Reverse Mapping PTRRecords">Records</name> <t>For all IPv6 addresses synthesized by a DNS64 recursive resolver, the DNS64 recursive resolver is responsible for synthesizing the appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses to provide reverse mapping PTR records. The same applies to the synthesized IPv6 addresses corresponding to the IPv4 addresses 192.0.0.170 and 192.0.0.171.</t><t>Generally<t>Generally, a DNS64 recursive resolver synthesizes appropriate 'ip6.arpa' reverse mapping PTR records by extracting the embedded IPv4 address from the encoded IPv6 address, performing a reverse mapping PTR query for that IPv4 address, and then synthesizing a corresponding 'ip6.arpa' reverse mapping PTR record containing the same rdata.</t><?rfc needLines="20" ?><t>In the case of synthesized IPv6 addresses corresponding to the IPv4 addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver does not issue reverse mapping queries for those IPv4 addresses, but instead, according to rule 3 above, immediately returns the answer 'ipv4only.arpa'.</t> <t>In the case of a client that uses the 'ipv4only.arpa' query to discover the IPv6 prefixes in use by the local NAT64 gateway, and then proceeds to perform its own address synthesis locally (which has benefits such as allowing DNSSEC validation), that clientMUST<bcp14>MUST</bcp14> also synthesize 'ip6.arpa' reverse mapping PTR records for those discovered prefix(es), according to the rules above: When a client's name resolution APIs and libraries receive a request to look up an 'ip6.arpa' reverse mapping PTR record for an address that falls within one of the discovered NAT64 address synthesis prefixes, the software extracts the embedded IPv4 address and then, for IPv4 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer 'ipv4only.arpa', and for all other IPv4addressesaddresses, performs a reverse mapping PTR query for the IPv4address,address and then synthesizes a corresponding 'ip6.arpa' reverse mapping PTR record containing the same rdata.</t><?rfc needLines="38" ?></section> </section> </section><section anchor="Acknowledgements" title="Acknowledgements"> <t>Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for devising the <xref target="RFC7050">NAT64 Prefix Discovery mechanism</xref>, and for their feedback on this document.</t> <t>Thanks to Geoff Huston for his feedback on this document.</t> <t>Thanks to Erik Kline for pointing out that the in&nbhy;addr.arpa names are special too.</t> <t>Thanks to Mark Andrews for conclusively pointing out the reasons why the 'ipv4only.arpa' zone must be an insecure delegation in order for the <xref target="RFC7050">NAT64 Prefix Discovery mechanism</xref> to work, and many other very helpful comments.</t> <t>Thanks particularly to Lorenzo Colitti for an especially spirited hallway discussion at IETF 96 in Berlin, which lead directly to significant improvements in how this document presents the issues.</t> <t>Thanks to Scott Bradner, Bernie Volz, Barry Leiba, Mirja Kühlewind, Suresh Krishnan, Benjamin Kaduk, Roman Danyliw, Éric Vyncke and the other IESG reviewers for their thoughtful feedback.</t> <t>Thanks to Dave Thaler and Warren Kumari for generously helping shepherd this document through the publication process.</t> </section></middle> <back><?rfc needLines="38" ?> <references title="Normative References"> <?rfc include="reference.RFC.2119" ?> <?rfc include="reference.RFC.3646" ?> <?rfc include="reference.RFC.6146" ?> <?rfc include="reference.RFC.6147" ?> <?rfc include="reference.RFC.6761" ?> <?rfc include="reference.RFC.7050" ?> <?rfc include="reference.RFC.8106" ?> <?rfc include="reference.RFC.8174" ?><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3646.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6146.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6147.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6761.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7050.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8106.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references><references title="Informative References"> <?rfc include="reference.RFC.6303" ?> <?rfc include="reference.RFC.8244" ?> <?rfc include="reference.RFC.8499" ?><references> <name>Informative References</name> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6303.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8244.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8499.xml"/> <reference anchor="SUDN" target="https://www.iana.org/assignments/special-use-domain-names/"> <front> <title>Special-Use DomainNames Registry</title> <author/> <date/>Names</title> <author> <organization>IANA </organization> </author> </front> </reference> <reference anchor="SUv4" target="https://www.iana.org/assignments/iana-ipv4-special-registry/"> <front> <title>IANA IPv4 Special-Purpose Address Registry</title><author/> <date/><author> <organization>IANA </organization> </author> </front> </reference> <reference anchor="DNS1" target="https://1.1.1.1/"> <front> <title>1.1.1.1 - The free app that makes your Internetsafer</title> <author/> <date/>safer.</title> <author> <organization>Cloudflare </organization> </author> </front> </reference> <reference anchor="DNS8" target="https://developers.google.com/speed/public-dns/"> <front> <title>Google Public DNS</title><author/> <date/><author> <organization>Google </organization> </author> </front> </reference> <reference anchor="DNS9" target="https://quad9.net/"> <front><title>Quad9 - Internet<title>Internet Security and Privacy In a Few Easy Steps</title><author/> <date/><author> <organization>Quad9 </organization> </author> </front> </reference> </references><?rfc needLines="40" ?></references> <section anchor="app-a"title="Examplenumbered="true" toc="default"> <name>Example BIND 9Configuration">Configuration</name> <t>A BIND 9 recursive resolver can be configured to act as authoritative for the necessary DNS64 names as described below.</t> <t>In/etc/named.conf/etc/named.conf, the following line is added:<figure><artwork></t> <artwork name="" type="" align="left" alt=""><![CDATA[ zone "ipv4only.arpa" { type master; file "ipv4only";};</artwork></figure></t>};]]></artwork> <t>The file /var/named/ipv4only is created with the following content:<figure><artwork></t> <artwork name="" type="" align="left" alt=""><![CDATA[ $TTL 86400 ; Default TTL 24 hours @ IN SOA nameserver.example. admin.nameserver.example. ( 2016052400 ; Serial 7200 ; Refresh ( 7200 = 2 hours) 3600 ; Retry ( 3600 = 1 hour) 15724800 ; Expire (15724800 = 6 months) 60 ; Minimum ) @ IN NS nameserver.example. @ IN A 192.0.0.170 @ IN A 192.0.0.171 @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefixhere</artwork></figure></t>here]]></artwork> </section> <section anchor="Acknowledgements" numbered="false" toc="default"> <name>Acknowledgements</name> <t>Thanks to <contact fullname="Jouni Korhonen"/>, <contact fullname="Teemu Savolainen"/>, and <contact fullname="Dan Wing"/>, for devising the <xref target="RFC7050" format="default">NAT64 Prefix Discovery mechanism</xref> and for their feedback on this document.</t> <t>Thanks to <contact fullname="Geoff Huston"/> for his feedback on this document.</t> <t>Thanks to <contact fullname="Erik Kline"/> for pointing out that the in&nbhy;addr.arpa names are special, too.</t> <t>Thanks to <contact fullname="Mark Andrews"/> for conclusively pointing out the reasons why the 'ipv4only.arpa' zone must be an insecure delegation in order for the <xref target="RFC7050" format="default">NAT64 Prefix Discovery mechanism</xref> to work and for many other very helpful comments.</t> <t>Thanks particularly to <contact fullname="Lorenzo Colitti"/> for an especially spirited hallway discussion at IETF 96 in Berlin, which lead directly to significant improvements in how this document presents the issues.</t> <t>Thanks to <contact fullname="Scott Bradner"/>, <contact fullname="Bernie Volz"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Mirja Kuehlewind"/>, <contact fullname="Suresh Krishnan"/>, <contact fullname="Benjamin Kaduk"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Eric Vyncke"/>, and the other IESG reviewers for their thoughtful feedback.</t> <t>Thanks to <contact fullname="Dave Thaler"/> and <contact fullname="Warren Kumari"/> for generously helping shepherd this document through the publication process.</t> </section> </back> </rfc>