rfc8880xml2.original.xml   rfc8880.xml 
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- Check output with <http://tools.ietf.org/tools/idnits/> -->
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.35) -->
<!-- give errors regarding ID-nits and DTD validation -->
<?rfc strict="yes" ?>
<!-- control the table of contents (ToC) -->
<!-- generate a ToC -->
<?rfc toc="yes"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<?rfc tocdepth="1"?>
<!-- control references -->
<!-- use anchors instead of numbers for refs, i.e, [RFC2119] instead of [1] -->
<?rfc symrefs="yes"?>
<!-- sort the reference entries alphabetically -->
<?rfc sortrefs="no" ?>
<!-- control vertical white space <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
(using these PIs as follows is recommended by the RFC Editor) -->
<!-- do not start each main section on a new page -->
<?rfc compact="yes" ?>
<!-- keep one blank line between list items -->
<?rfc subcompact="no" ?>
<!-- encourage use of "xml2rfc" tool --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF"
<?rfc rfcprocack="yes" ?> category="std" consensus="true"
<!-- end of list of popular I-D processing instructions --> docName="draft-cheshire-sudn-ipv4only-dot-arpa-17" number="8880"
ipr="trust200902" updates="7050" obsoletes="" xml:lang="en"
tocInclude="true" tocDepth="3" symRefs="true" sortRefs="false"
version="3">
<rfc category="std" docName="draft-cheshire-sudn-ipv4only-dot-arpa-17" ipr="trus t200902" updates="7050">
<front> <front>
<title abbrev="Special Name ipv4only.arpa">Special Use Domain Name 'ipv4only <title abbrev="Special Name ipv4only.arpa">Special Use Domain Name
.arpa'</title> 'ipv4only.arpa'</title>
<seriesInfo name="RFC" value="8880"/>
<author initials='S.' surname='Cheshire' fullname='Stuart Cheshire'> <author initials="S." surname="Cheshire" fullname="Stuart Cheshire">
<organization>Apple Inc.</organization> <organization>Apple Inc.</organization>
<address> <address>
<postal> <postal>
<street>One Apple Park Way</street> <street>One Apple Park Way</street>
<city>Cupertino</city> <city>Cupertino</city>
<region>California</region> <region>California</region>
<code>95014</code> <code>95014</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<phone>+1 (408) 996-1010</phone> <phone>+1 (408) 996-1010</phone>
<email>cheshire@apple.com</email> <email>cheshire@apple.com</email>
</address> </address>
</author> </author>
<author fullname="David Schinazi" surname="Schinazi" initials="D.">
<author fullname='David Schinazi' surname='Schinazi' initials='D.'>
<organization>Google LLC</organization> <organization>Google LLC</organization>
<address> <address>
<postal> <postal>
<street>1600 Amphitheatre Parkway</street> <street>1600 Amphitheatre Parkway</street>
<city>Mountain View</city> <city>Mountain View</city>
<region>California</region> <region>California</region>
<code>94043</code> <code>94043</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>dschinazi.ietf@gmail.com</email> <email>dschinazi.ietf@gmail.com</email>
</address> </address>
</author> </author>
<date month="August" year="2020"/>
<date day='19' month='March' year='2020'/> <keyword>IPv6</keyword>
<keyword>NAT64</keyword>
<keyword>DNS64</keyword>
<abstract> <abstract>
<t>The specification for <t>NAT64 (Network Address and Protocol Translation from IPv6
how a client discovers its local network's NAT64 prefix (RFC7050) Clients to IPv4 Servers) allows client devices using IPv6 to
defines the special name 'ipv4only.arpa' for this purpose, communicate with servers that have only IPv4 connectivity.</t>
but in its Domain Name Reservation Considerations section <t>The specification for how a client discovers its local network's
that specification indicates that the name actually has NAT64 prefix (RFC 7050) defines the special name
no particularly special properties that would require special handling, 'ipv4only.arpa' for this purpose.
and does not request IANA to record However, in its Domain Name Reservation
the name in the Special-Use Domain Names registry.</t> Considerations section (Section 8.1),
that specification (RFC 7050) indicates that the name
<t>Consequently, despite the well articulated special purpose of the name, actually has no particularly special properties that would require
special handling.</t>
<t>Consequently, despite the well-articulated special purpose of the
name,
'ipv4only.arpa' was not recorded in the 'ipv4only.arpa' was not recorded in the
Special-Use Domain Names registry Special-Use Domain Names registry
as a name with special properties.</t> as a name with special properties.</t>
<t>This document updates RFC 7050.
<t>This document describes the special treatment required, It describes the special treatment required and
formally declares the special properties of the name, formally declares the special properties of the name.
adds similar declarations for the corresponding reverse mapping names, It also adds similar declarations for the corresponding reverse mapping
and updates RFC7050.</t> names.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?rfc needLines="22" ?>
<section title="Introduction">
<t>The specification for
<xref target="RFC7050">how a client discovers its local network's NAT64 pr
efix</xref>
defines the special name 'ipv4only.arpa' for this purpose,
but in its Domain Name Reservation Considerations section
that specification indicates that the name actually has
no particularly special properties that would require special handling,
and does not request IANA to record
the name in the <xref target="SUDN">Special-Use Domain Names registry</xre
f>.</t>
<t>Consequently, despite the well articulated special purpose of the name, <section numbered="true" toc="default">
<name>Introduction</name>
<t><xref target="RFC6146" format="default">NAT64
(Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers)</xref>
allows client devices using IPv6 to
communicate with servers that have only IPv4 connectivity.</t>
<t><xref target="RFC6147" format="default">DNS64
(DNS Extensions for Network Address Translation from IPv6
Clients to IPv4 Servers)</xref>
facilitates use of NAT64 by clients
by generating synthesized IPv6 addresses for IPv4 servers
that have no IPv6 address of their own, or by communicating
the local network's NAT64 prefix to clients so that they
can perform the IPv6 address synthesis themselves.</t>
<t>The specification for <xref target="RFC7050" format="default">how a
client discovers its local network's NAT64 prefix</xref> defines the
special name 'ipv4only.arpa' for this purpose, but in its Domain Name
Reservation Considerations section (Section 8.1),
that specification <xref target="RFC7050"/> indicates that the name
actually
has no particularly special properties that would require special
handling and does not request IANA to record the name in the <xref
target="SUDN" format="default">Special-Use Domain Names
registry</xref>.</t>
<t>Consequently, despite the well-articulated special purpose of the
name,
'ipv4only.arpa' was not recorded in the 'ipv4only.arpa' was not recorded in the
<xref target="SUDN">Special-Use Domain Names registry</xref> <xref target="SUDN" format="default">Special-Use Domain Names
registry</xref>
as a name with special properties.</t> as a name with special properties.</t>
<t>This omission was discussed in the document
<t>This omission was discussed in <xref target="RFC8244" format="default">"Special-Use Domain Names
<xref target="RFC8244">the Special-Use Domain Names Problem Statement</xre Problem Statement"</xref>.</t>
f>.</t>
<?rfc needLines="24" ?>
<t>As a result of this omission, in cases where software needs <t>As a result of this omission, in cases where software needs
to give this name special treatment in order for it to work correctly, to give this name special treatment in order for it to work correctly,
there was no clear mandate authorizing software authors to implement that there was no clear mandate authorizing software authors to implement
that
special treatment. Software implementers were left with the choice special treatment. Software implementers were left with the choice
between not implementing the special behavior necessary for the name between not implementing the special behavior necessary for the name
queries to work correctly, or implementing the special behavior queries to work correctly or implementing the special behavior
and being accused of being noncompliant with some RFC.</t> and being accused of being noncompliant with IETF DNS
specifications.</t>
<t>This document describes the special treatment required, <t>This document describes the special treatment required,
formally declares the special properties of the name, formally declares the special properties of the name,
and adds similar declarations for the corresponding reverse mapping names. and adds similar declarations for the corresponding reverse mapping
</t> names.</t>
<section anchor="terminology" numbered="true" toc="default">
<name>Conventions and Terminology</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
to be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<section anchor="terminology" title="Conventions and Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",<vspace
/>
and "OPTIONAL" in this document are to be interpreted as described<vspac
e />
in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in<vspace />
all capitals, as shown here.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<name>Reasons to Declare 'ipv4only.arpa' as Special</name>
<section title="Specialness of 'ipv4only.arpa'"> <t>The hostname 'ipv4only.arpa' is peculiar in that it was never
<t>The hostname 'ipv4only.arpa' is peculiar in that it was never intended intended
to be treated like a normal hostname.</t> to be treated like a normal hostname.</t>
<t>A typical client never has any reason to look up the IPv4 address
<t>A typical client never has any reason to look up the IPv4 address recor records for 'ipv4only.arpa': no normal user is ever trying to view a
ds for 'ipv4only.arpa'. website hosted at that domain name or trying to send email to an email
No normal user is ever trying to view a web site hosted at that domain nam address at that domain name. The name 'ipv4only.arpa' is already known,
e, <xref target="RFC7050" format="default">by IETF specification</xref>, to
or trying to send email to an email address at that domain name. have exactly two IPv4 address records: 192.0.0.170 and 192.0.0.171. No
The name 'ipv4only.arpa' is already known, <xref target="RFC7050">by IETF client ever has to look up the name in order to learn those two
specification</xref>, addresses.</t>
to have exactly two IPv4 address records, 192.0.0.170 and 192.0.0.171.
No client ever has to look up the name in order to learn those two address
es.</t>
<t>In contrast, clients often look up the IPv6 AAAA address records for <t>In contrast, clients often look up the IPv6 AAAA address records for
'ipv4only.arpa', which is contrary to general DNS expectations, given 'ipv4only.arpa', which is contrary to general DNS expectations, given
that it is already known, <xref target="RFC7050">by IETF specification</xr that it is already known, <xref target="RFC7050" format="default">by
ef>, IETF specification</xref>, that 'ipv4only.arpa' is an IPv4-only name,
that 'ipv4only.arpa' is an IPv4-only name, which has no IPv6 AAAA address and it has no IPv6 AAAA address records. And yet, clients expect to
records.
And yet, clients expect to
receive, and do in fact receive, positive answers for these IPv6 AAAA receive, and do in fact receive, positive answers for these IPv6 AAAA
address records that apparently should not exist.</t> address records that apparently should not exist.</t>
<t>This odd query behavior comes not because clients are using DNS to
<?rfc needLines="3" ?> learn
<t>This odd query behaviour comes not because clients are using DNS to lea legitimate answers from the name's legitimate authoritative
rn server, but because the DNS protocol has, in effect, been co-opted as an
legitimate answers from the name's legitimate authoritative server. improvised
Instead, the DNS protocol has, in effect, been co-opted as an improvised client-to-middlebox communication protocol to look for a DNS64/NAT64
client-to-middlebox communication protocol, to look for a DNS64/NAT64 <xref target="RFC6147" format="default"/> <xref target="RFC6146"
<xref target="RFC6146"/> <xref target="RFC6147"/> format="default"/>
gateway and, if one is present, gateway and, if one is present,
to request that it disclose the prefix it is using for IPv6 address synthe to request that it disclose the prefix it is using for IPv6 address
sis.</t> synthesis.</t>
<t>This use of specially crafted DNS queries as an improvised <t>This use of specially crafted DNS queries as an improvised
client-to-middlebox communication protocol has a number of specific client-to-middlebox communication protocol has a number of specific
consequences, outlined below, which client software needs to take consequences, outlined below, which client software needs to take into
into account if the queries are to produce the desired results, account if the queries are to produce the desired results. This
particularly when used on a multi-homed host, or when a VPN tunnel is in u is particularly true
se. when used on a multihomed host or when a VPN tunnel is in use. The
The name 'ipv4only.arpa' is most definitely a special name, name 'ipv4only.arpa' is most definitely a special name and needs to be
and needs to be listed in IANA's registry along with listed in IANA's registry along with <xref target="SUDN"
<xref target="SUDN">other DNS names that have special uses</xref>.</t> format="default">other DNS names that have special uses</xref>.</t>
<?rfc needLines="4" ?>
</section> </section>
<section title="Consequences of 'ipv4only.arpa' not being declared special"> <section numbered="true" toc="default">
<t>As a result of <xref target="RFC7050">the original specification</xref> <name>Consequences of 'ipv4only.arpa' Not Being Declared Special</name>
<t>As a result of <xref target="RFC7050" format="default">the original
specification</xref>
not formally declaring 'ipv4only.arpa' to have special properties, not formally declaring 'ipv4only.arpa' to have special properties,
there was no clear mandate for DNS software to treat this name specially. there was no clear mandate for DNS software to treat this name
specially.
In particular, this lack of mandate for special treatment is relevant In particular, this lack of mandate for special treatment is relevant
(a) to the name resolution APIs and libraries on client devices, and (a) to the name resolution APIs and libraries on client devices and
(b) to DNS64 <xref target="RFC6147"/> implementations. (b) to DNS64 <xref target="RFC6147" format="default"/> implementations.
These two aspects are discussed in more detail below.</t> These two aspects are discussed in more detail below.</t>
<section numbered="true" toc="default">
<section title="Consequences for Name Resolution APIs and Libraries"> <name>Consequences for Name Resolution APIs and Libraries</name>
<t>A serious problem can occur with DNS64/NAT64 when a device is configu <t>A serious problem can occur with DNS64/NAT64 when a device is
red to configured to
use a recursive resolver other than the one it learned from the network. use a recursive resolver other than the one it learned from the
</t> network.</t>
<t>A device joining a NAT64 <t>A device joining a NAT64
network will learn the recursive resolver recommended for that network, network will learn the recursive resolver recommended for that
typically network, typically
via <xref target="RFC8106">IPv6 Router Advertisement Options for DNS Con via <xref target="RFC8106" format="default">IPv6 Router Advertisement
figuration</xref> Options</xref>
or via <xref target="RFC3646">DNS Configuration options for DHCPv6</xref or via <xref target="RFC3646" format="default">DHCPv6</xref>.
>. On a NAT64 network, it is essential that the client use the
On a NAT64 network it is essential that the client use the DNS64 recursive resolver recommended for that network, since only that
DNS64 recursive resolver recommended for that network, since only that r recursive resolver can
ecursive resolver can be relied upon to know the appropriate prefix(es) to use for
be relied upon to know the appropriate prefix(es) to use for synthesizin synthesizing IPv6
g IPv6
addresses that will be acceptable to that NAT64 gateway.</t> addresses that will be acceptable to that NAT64 gateway.</t>
<t>However, it is becoming increasingly common for users to manually
<t>However, it is becoming increasingly common for users to manually ove override their
rride their default DNS configuration because they wish to use some other public
default DNS configuration because they wish to use some other public rec recursive
ursive resolver on the Internet, which may offer better speed, reliability,
resolver on the Internet, which may offer better speed, better reliabili or privacy than the local network's default recursive resolver.
ty, At the time of writing, examples of widely known public recursive
or better privacy than the local network's default recursive resolver. resolver services
At the time of writing, examples of widely known public recursive resolv
er services
include include
<xref target="DNS1">Cloudflare Public DNS</xref>, <xref target="DNS1" format="default">Cloudflare Public DNS</xref>,
<xref target="DNS8">Google Public DNS</xref>, and <xref target="DNS8" format="default">Google Public DNS</xref>, and
<xref target="DNS9">Quad9</xref>.</t> <xref target="DNS9" format="default">Quad9</xref>.</t>
<t>Another common scenario is the use of corporate or personal VPN clien <t>Another common scenario is the use of corporate or personal VPN client
t software. software.
Both for privacy reasons, and also because
the local network's recursive resolver will typically
be unable to provide answers for the company's private internal host nam
es,
so VPN client software overrides the
local network's default configuration,
to divert some or all DNS requests to the company's own private internal
recursive resolver, reached through the VPN tunnel.
As with the case described above of public recursive resolver services,
the company's private internal recursive resolver cannot be expected to
be able
to synthesize IPv6 addresses correctly for use with the local network's
NAT64 gateway,
because the company's private internal recursive resolver is unlikely to
be aware
of the NAT64 prefix in use on the NAT64 network to which the client devi
ce is currently attached.
It is clear that a single recursive resolver cannot meet both needs.
The local network's recursive resolver cannot give answers for some
company's private internal host names, and some company's private intern
al
recursive resolver cannot give correctly synthesized IPv6 addresses
suitable for the local network's NAT64 gateway.</t>
<t>Note that multiple NAT64 services may be simultaneously available to Both for privacy reasons and because the local network's recursive resolver
a client. will typically be unable to provide answers for the company's private internal
For example, the local network may host names, VPN client software usually overrides the local network's default
provide NAT64 service (to allow a IPv6-only client device to access IPv4 configuration to divert some or all DNS requests so that they go to the
-only Internet services), company's own private internal recursive resolver instead of to the default
while at the same time recursive resolver the client learned from its local network. (The company's
a corporate VPN may also own private internal recursive resolvers typically have addresses that are
provide NAT64 service (to allow a client connecting via an IPv6-only VPN themselves reached through the VPN tunnel, not via the public Internet.)
tunnel to access IPv4-only corporate services).
The NAT64 address synthesis prefixes for the two NAT64 services may be d
ifferent.
In this case it is essential that
the NAT64 address synthesis prefix used on the local network
be the prefix learned from the local network's recursive resolver, and
the NAT64 address synthesis prefix used on the VPN tunnel
be the prefix learned from the VPN tunnel's recursive resolver.</t>
<t>The conflict here arises because DNS is being used for two unrelated As with the case described above of public recursive resolver services, the
purposes. company's private internal recursive resolver cannot be expected to be able to
The first purpose is retrieving data from a (nominally) global database synthesize IPv6 addresses correctly for use with the local network's NAT64
-- gateway, because the company's private internal recursive resolver is unlikely
to be aware of the NAT64 prefix in use on the NAT64 network to which the
client device is currently attached. It is clear that a single recursive
resolver cannot meet both needs. The local network's recursive resolver
cannot be expected to give answers for some unknown company's private internal
host names, and a company's private internal recursive resolver cannot be
expected to give correctly synthesized IPv6 addresses suitable for some
unknown local network's NAT64 gateway.</t>
<t>Note that multiple NAT64 services may be simultaneously available to a
client. For example, the local network may provide NAT64 service (to allow an
IPv6-only client device to access IPv4-only Internet services), while at the
same time, a corporate VPN may also provide NAT64 service (to allow a client
connecting via an IPv6-only VPN tunnel to access IPv4-only corporate
services). The NAT64 address synthesis prefixes for the two NAT64 services
may be different. In this case, it is essential that the NAT64 address
synthesis prefix used on the local network be the prefix learned from the
local network's recursive resolver, and the NAT64 address synthesis prefix
used on the VPN tunnel be the prefix learned from the VPN tunnel's recursive
resolver.</t>
<t>The difficulty here arises because DNS is being used for two
unrelated purposes.
The first purpose is retrieving data from a (nominally) global
database,
generally retrieving the IP address(es) associated with a hostname. generally retrieving the IP address(es) associated with a hostname.
The second purpose is using the DNS protocol as a middlebox communicatio The second purpose is using the DNS protocol as a middlebox
n communication
protocol, to interrogate the local network infrastructure to discover protocol, to interrogate the local network infrastructure to discover
the IPv6 prefix(es) in use by the local NAT64 gateway for address synthe the IPv6 prefix(es) in use by the local NAT64 gateway for address
sis.</t> synthesis.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Consequences for DNS64 Implementations"> <name>Consequences for DNS64 Implementations</name>
<t>As a result of there being no mandate for special treatment, <t>As a result of there being no mandate for special treatment,
queries for 'ipv4only.arpa' had to be handled normally, queries for 'ipv4only.arpa' had to be handled normally,
resulting in DNS64 gateways performing unnecessary resulting in DNS64 gateways performing unnecessary
IPv6 address record queries (DNS qtype "AAAA", always returning negative queries to the authoritative 'arpa' name servers, both
responses) and unnecessary IPv6 address record queries (DNS qtype "AAAA", always
IPv4 address record queries (DNS qtype "A", always returning the same po returning negative responses) and
sitive responses) unnecessary IPv4 address record queries (DNS qtype "A", always
to the authoritative 'arpa' name servers.</t> returning the same positive responses).</t>
<t>Having DNS64 gateways around the world issue these queries
<t>Having DNS64 gateways around the world issue these queries generated generated
additional load on the authoritative 'arpa' name servers, which was additional load on the authoritative 'arpa' name servers, which was
redundant when the name 'ipv4only.arpa' is defined, <xref target="RFC705 redundant when the name 'ipv4only.arpa' is defined, <xref
0">by IETF specification</xref>, target="RFC7050" format="default">by IETF specification</xref>,
to have exactly two IPv4 address records, 192.0.0.170 and 192.0.0.171, to have exactly two IPv4 address records, 192.0.0.170 and 192.0.0.171,
and no other IPv4 or IPv6 address records.</t> and no other IPv4 or IPv6 address records.</t>
<t>Also, at times, for reasons that remain <t>Also, at times, for reasons that remain
unclear, the authoritative 'arpa' name servers have been observed to be unclear, the authoritative 'arpa' name servers have been observed to
slow or unresponsive. be slow or unresponsive.
The failures of these 'ipv4only.arpa' queries result in unnecessary fail The failures of these 'ipv4only.arpa' queries result in unnecessary
ures failures
of the DNS64 gateways and of the client devices that depend on them for of the DNS64 gateways and of the client devices that depend on them
<xref target="RFC6147">DNS64</xref> address synthesis.</t> for
<xref target="RFC6147" format="default">DNS64</xref> address
<t>Even when the authoritative 'arpa' name servers are operating correct synthesis.</t>
ly, <t>Even when the authoritative 'arpa' name servers are operating
having to perform an unnecessary query to obtain an answer that is alrea correctly,
dy having to perform an unnecessary query to obtain an answer that is
already
known in advance can add precious milliseconds of delay, known in advance can add precious milliseconds of delay,
affecting user experience on the client devices waiting affecting user experience on the client devices waiting
for those synthesized replies.</t> for those synthesized replies.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Remedies"> <name>Remedies</name>
<t>This document leverages operational experience to update the <t>This document leverages operational experience to update the <xref
<xref target="RFC6761">Domain Name Reservation Considerations</xref> secti target="RFC6761" format="default">Domain Name Reservation Considerations
on of section</xref> of <xref target="RFC7050" format="default">the earlier
<xref target="RFC7050">the earlier specification</xref> prefix discovery
with one that more specification</xref> with one that more accurately lists the actual
accurately lists the actual special properties of the name 'ipv4only.arpa' special properties of the name 'ipv4only.arpa', so that software can
, legitimately implement the correct behavior necessary for better
so that software can legitimately implement the correct behavior necessary performance, better reliability, and correct operation.</t>
for better performance, better reliability, and correct operation.</t> <t>These changes affect two bodies of software: (a) the name resolution
APIs and libraries on client devices, and (b) DNS64 implementations.</t>
<t>These changes affect two bodies of software, <t>The new special rules specified in this document for name resolution
(a) the name resolution APIs and libraries on client devices, and APIs and libraries
(b) DNS64 implementations.</t>
<t>The new special rules specified in this document for name resolution AP
Is and libraries
state how they state how they
should select which recursive resolver to query to learn the IPv6 address should select which recursive resolver to query to learn the IPv6
address
synthesis prefix in use on a particular physical or virtual interface. synthesis prefix in use on a particular physical or virtual interface.
Specifically: When querying for the name 'ipv4only.arpa', Specifically, when querying for the name 'ipv4only.arpa',
name resolution APIs and libraries should use the name resolution APIs and libraries should use the
recursive resolver recommended by the network for the interface in questio recursive resolver recommended by the network for the interface in
n, rather than question rather than
a recursive resolver configured manually, a recursive resolver configured manually,
a recursive resolver configured by VPN software, or a recursive resolver configured by VPN software, or
a full-service recursive resolver running on the local host. a full-service recursive resolver running on the local host.
Superficially this might seem like a security issue, since Superficially, this might seem like a security issue, since
the user might have explicitly configured the particular DNS resolver they the user might have explicitly configured the particular DNS resolver
they
wish to use, and rather than using that, the name resolution code wish to use, and rather than using that, the name resolution code
ignores the user's stated preference and uses untrusted input received fro ignores the user's stated preference and uses untrusted input received
m the network instead. from the network instead.
However, the 'ipv4only.arpa' query is not really a DNS query in the usual However, the 'ipv4only.arpa' query is not really a DNS query in the
sense; usual sense;
even though it may look like a DNS query, it is actually an improvised even though it may look like a DNS query, it is actually an improvised
client-to-middlebox communication protocol in disguise. client-to-middlebox communication protocol in disguise.
For NAT64 to work at all, For NAT64 to work at all,
it is necessary for the interface on which NAT64 translation is being it is necessary for the interface on which NAT64 translation is being
performed to tell the host the address of the DNS64 recursive resolver performed to tell the host the address of the DNS64 recursive resolver
the host must use to learn the NAT64 prefix being used by that NAT64. the host must use to learn the NAT64 prefix being used by that NAT64.
This is typically done This is typically done
via <xref target="RFC8106">IPv6 Router Advertisement Options for DNS Confi via <xref target="RFC8106" format="default">IPv6 Router Advertisement
guration</xref> Options for DNS Configuration</xref>
or via <xref target="RFC3646">DNS Configuration options for DHCPv6</xref>. or via <xref target="RFC3646" format="default">DNS Configuration options
for DHCPv6</xref>.
</t> </t>
<t>The new special rules specified in this document for DNS64
implementations recommend that they avoid
performing run-time network queries for values that are known to be
fixed by specification.</t>
<t>A useful property of the way <xref target="RFC7050"
format="default">NAT64 Prefix Discovery</xref> was originally specified
was that it allowed for incremental deployment. Even if existing DNS64
gateways, that were unaware of the special 'ipv4only.arpa' name, were
already deployed, once IANA created the appropriate 'ipv4only.arpa'
records, clients could begin to use the new facility immediately.
<t>The new special rules specified in this document for DNS64 implementati <!-- show stuart what we did with the commas.-->
ons recommend that they avoid Clients could send their special queries for 'ipv4only.arpa' to an
performing run-time network queries for values that are known to be fixed ipv4only-unaware DNS64 gateway, and, as a side effect of its usual query
by specification.</t> processing (after a query to IANA’s servers), the DNS64 gateway would
then generate the correct synthesized response.
<t>A useful property of the way </t>
<xref target="RFC7050">NAT64 Prefix Discovery</xref>
was originally specified was that it allowed for incremental deployment.
Even if existing DNS64 gateways,
that were unaware of the special 'ipv4only.arpa' name, were already deploy
ed,
once IANA created the appropriate 'ipv4only.arpa' records,
clients could begin to use the new facility immediately.
Clients could send their special queries for 'ipv4only.arpa'
to an ipv4only-unaware DNS64 gateway, and
(after a query to IANA's servers)
the DNS64 gateway would then generate the correct synthesized response.</t
>
<t>While this was a useful transition strategy to enable rapid adoption, <t>While this was a useful transition strategy to enable rapid adoption,
it is not the ideal end situation. it is not the ideal end situation.
For better performance, better reliability, and lower load in IANA's serve For better performance, better reliability, and lower load in IANA's
rs, servers,
it is preferable for DNS64 gateways to be aware of the special it is preferable for DNS64 gateways to be aware of the special
'ipv4only.arpa' name so that they can avoid issuing unnecessary queries. 'ipv4only.arpa' name so that they can avoid issuing unnecessary queries.
Network operators who wish to provide reliable, high performance service t Network operators who wish to provide reliable, high-performance service
o to
their customers are motivated to prefer DNS64 gateways that recognize their customers are motivated to prefer DNS64 gateways that recognize
the special 'ipv4only.arpa' name and apply the appropriate optimizations.< the special 'ipv4only.arpa' name and apply the appropriate
/t> optimizations.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Security Considerations"> <name>Security Considerations</name>
<t>One of the known concerns with DNS64 is that <t>One of the known concerns with DNS64 is that
it conflicts with DNSSEC. If DNSSEC is used to assert cryptographically th it conflicts with DNSSEC. If DNSSEC is used to assert cryptographically
at a name that a name
has no IPv6 AAAA records, then this interferes with using DNS64 address sy has no IPv6 AAAA records, then this interferes with using DNS64 address
nthesis synthesis
to assert that those nonexistent IPv6 AAAA records do exist.</t> to tell a client that those nonexistent IPv6 AAAA records do exist.</t>
<t><xref target="RFC6147" sectionFormat="of" section="3">the DNS64
<t>Section 3 of the <xref target="RFC6147">DNS64 specification</xref> specification</xref>
discusses this: discusses this:
<figure><artwork> </t>
... DNS64 receives a query with the DO bit set and
the CD bit set. In this case, the DNS64 is supposed
to pass on all the data it gets to the query initiator.
This case will not work with DNS64, unless the
validating resolver is prepared to do DNS64 itself.</artwork></figure></t>
<t>The <xref target="RFC7050">NAT64 Prefix Discovery specification</xref> <blockquote>
provides the mechanism for the query initiator to learn the NAT64 prefix ... DNS64 receives a query with the DO bit set and the CD bit set. In this
so that it can do its own validation and DNS64 synthesis as described abov case, the DNS64 is supposed to pass on all the data it gets to the query
e. initiator. This case will not work with DNS64, unless the validating resolver
With this mechanism the client can is prepared to do DNS64 itself.
(i) interrogate the local DNS64/NAT64 gateway with an 'ipv4only.arpa' </blockquote>
query to learn the IPv6 address synthesis prefix,
(ii) query for the (signed) IPv4 address records itself, and validate the
response, and then
(iii) perform its own IPv6 address synthesis locally,
combining the IPv6 address synthesis prefix learned from the local DNS64/N
AT64 gateway
with the validated DNSSEC-signed data learned from the global Domain Name
System.</t>
<t>It is conceivable that over time, if DNSSEC adoption continues to grow, <t>The <xref target="RFC7050" format="default">NAT64 Prefix Discovery
the specification</xref> provides the mechanism for the query initiator to
learn the NAT64 prefix so that it can do its own validation and DNS64
synthesis as described above. With this mechanism, the client can (i)
interrogate the local DNS64/NAT64 gateway (with an 'ipv4only.arpa'
query)
to learn the IPv6 address synthesis prefix, (ii) query for the (signed)
IPv4 address records for the desired hostname and validate the response,
and then (iii)
perform its own IPv6 address synthesis locally, combining the IPv6
address synthesis prefix learned from the local DNS64/NAT64 gateway with
the validated DNSSEC-signed data learned from the global Domain Name
System.</t>
<t>It is conceivable that, over time, if DNSSEC adoption continues to
grow, the
majority of clients could move to this validate-and-synthesize-locally majority of clients could move to this validate-and-synthesize-locally
model, which reduces the DNS64 machinery to the vestigial role of model, which reduces the DNS64 machinery to the vestigial role of
simply responding to the 'ipv4only.arpa' query to report the local simply responding to the 'ipv4only.arpa' query to report the local
IPv6 address synthesis prefix. In no case does the client care what IPv6 address synthesis prefix.
answer(s) the authoritative 'arpa' name servers might give for that query. At the time of publication, network operators have been
observed "in the wild" deploying NAT64 service with DNS
recursive resolvers that reply to 'ipv4only.arpa' queries
but otherwise perform no other NAT64 address synthesis.
In no case does the client care what
answer(s) the authoritative 'arpa' name servers might give for that
query.
The 'ipv4only.arpa' query is being used purely as a local The 'ipv4only.arpa' query is being used purely as a local
client-to-middlebox communication message.</t> client-to-middlebox communication message.</t>
<t>This validate-and-synthesize-locally
<t>This approach is even more attractive if it does not create approach is even more attractive if it does not create
an additional dependency on the authoritative 'arpa' name an additional dependency on the authoritative 'arpa' name
servers to answer a query that is unnecessary servers to answer a query that is unnecessary
because the DNS64/NAT64 gateway already knows the answer because the DNS64/NAT64 gateway already knows the answer
before it even issues the query. Avoiding this unnecessary before it even issues the query. Avoiding this unnecessary
query improves performance and reliability for the client, query improves performance and reliability for the client
and reduces unnecessary load for the authoritative 'arpa' name servers.</t and reduces unnecessary load for the authoritative 'arpa' name
> servers.</t>
<t>Hardcoding the known answers for
<t>Hard-coding the known answers for
'ipv4only.arpa' IPv4 address record queries (DNS qtype "A") in 'ipv4only.arpa' IPv4 address record queries (DNS qtype "A") in
recursive resolvers also reduces the risk of malicious devices recursive resolvers also reduces the risk of malicious devices
intercepting those queries and returning incorrect answers. intercepting those queries and returning incorrect answers.
Because the 'ipv4only.arpa' zone has to be an insecure delegation (see bel Because the 'ipv4only.arpa' zone has to be an insecure delegation (see
ow) below),
DNSSEC cannot be used to protect these answers from tampering DNSSEC cannot be used to protect these answers from tampering
by malicious devices on the path.</t> by malicious devices on the path.</t>
<t>With respect to the question of whether 'ipv4only.arpa' should be <t>With respect to the question of whether 'ipv4only.arpa' should be a
a secure or insecure delegation, we need to consider secure or insecure delegation, we need to consider two paths of
two paths of information flow through the network: information flow through the network:</t>
The path from the server authoritative for 'ipv4only.arpa' to the DNS64 re
cursive resolver,
and the path from the DNS64 recursive resolver to the ultimate client.</t>
<t>The path from the authoritative server to the DNS64 recursive resolver <ol>
(queries for IPv4 address records) <li>The path from the server authoritative for 'ipv4only.arpa' to the
need not be protected by DNSSEC, because the DNS64 recursive resolver DNS64 recursive resolver
already knows, by specification, what the answers are. </li>
In principle, if this were a secure delegation, and 'ipv4only.arpa' were <li>The path from the DNS64 recursive resolver to the ultimate client
a signed zone, then the path from the authoritative server to the DNS64 </li>
recursive resolver would still work, but DNSSEC is not necessary here. </ol>
Run-time cryptographic signatures are not needed to verify compile-time co
nstants.
Validating the signatures could only serve to introduce potential failures
into the system for minimal benefit.</t>
<t>The path from the authoritative server to the DNS64 recursive
resolver (queries for IPv4 address records) need not be protected by
DNSSEC, because the DNS64 recursive resolver already knows, by
specification, what the answers are. In principle, if this were a
secure delegation, and 'ipv4only.arpa' were a signed zone, then the path
from the authoritative server to the DNS64 recursive resolver would
still work, but DNSSEC is not necessary here. Run-time cryptographic
signatures are not needed to verify compile-time constants. Validating
the signatures could only serve to introduce potential failures into the
system for minimal benefit.</t>
<t>The path from the DNS64 recursive resolver to the ultimate client <t>The path from the DNS64 recursive resolver to the ultimate client
(queries for IPv6 address records) (queries for IPv6 address records)
*cannot* be protected by DNSSEC, because the DNS64 recursive resolver *cannot* be protected by DNSSEC because the DNS64 recursive resolver
is synthesizing IPv6 address answers, and does not possess the DNSSEC secr is synthesizing IPv6 address answers and does not possess the DNSSEC
et secret
key required to sign those answers.</t> key required to sign those answers.</t>
<t>Consequently, the 'ipv4only.arpa' zone <bcp14>MUST</bcp14> be an
<t>Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation, insecure delegation
to give DNS64/NAT64 gateways the freedom to synthesize answers to those to give DNS64/NAT64 gateways the freedom to synthesize answers to those
queries at will, without the answers being rejected by DNSSEC-capable queries at will, without the answers being rejected by DNSSEC-capable
resolvers. resolvers.
DNSSEC-capable resolvers that follow this specification DNSSEC-capable resolvers that follow this specification
MUST NOT attempt to validate answers received in response to <bcp14>MUST NOT</bcp14> attempt to validate answers received in response
to
queries for the IPv6 AAAA address records for 'ipv4only.arpa'. queries for the IPv6 AAAA address records for 'ipv4only.arpa'.
Note that the name 'ipv4only.arpa' has no use outside of being Note that the name 'ipv4only.arpa' has no use outside of being
used for this special DNS pseudo-query used to learn the DNS64/NAT64 used for this special DNS pseudo-query used to learn the DNS64/NAT64
address synthesis prefix, so the lack of DNSSEC security for that name is address synthesis prefix, so the lack of DNSSEC security for that name
not a problem. is not a problem.
</t> </t>
<t>The original <xref target="RFC7050" format="default">NAT64 Prefix
<t>The original <xref target="RFC7050">NAT64 Prefix Discovery specificatio Discovery specification</xref>
n</xref>
stated, incorrectly: stated, incorrectly:
<figure><artwork> </t>
A signed "ipv4only.arpa." allows validating DNS64 servers
(see [RFC6147] Section 3, Case 5, for example) to detect
malicious AAAA resource records. Therefore, the zone
serving the well-known name has to be protected with DNSSEC.</artwork></figur
e></t>
<t>This document updates <xref target="RFC7050">the previous specification <blockquote>
</xref> A signed "ipv4only.arpa." allows validating DNS64 servers (see [RFC6147]
to correct that error. The 'ipv4only.arpa' zone MUST be an insecure delega Section 3, Case 5, for example) to detect malicious AAAA resource records.
tion.</t> Therefore, the zone serving the well-known name has to be protected with
DNSSEC.
</blockquote>
<t>This document updates <xref target="RFC7050" format="default">the
previous specification</xref>
to correct that error. The 'ipv4only.arpa' zone <bcp14>MUST</bcp14> be
an insecure delegation.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IANA Considerations"> <name>IANA Considerations</name>
<t>IANA has created an insecure delegation for 'ipv4only.arpa'
<?rfc subcompact="yes" ?> to allow DNS64 recursive resolvers to create synthesized AAAA answers
within that zone.</t>
<t>[Once published] IANA has created an insecure delegation for 'ipv4only. <t>IANA has recorded the following names in the
arpa' <xref target="SUDN" format="default">Special-Use Domain Names
to allow DNS64 recursive resolvers to create synthesized AAAA answers with registry</xref>:
in that zone.</t>
<t>IANA has recorded the following names in the<vspace />
<xref target="SUDN">Special-Use Domain Names registry</xref>:
<list style='empty'>
<t>ipv4only.arpa.</t>
<t>170.0.0.192.in&nbhy;addr.arpa.</t>
<t>171.0.0.192.in&nbhy;addr.arpa.</t>
</list>
</t> </t>
<ul empty="true" spacing="compact">
<t>IANA has recorded the following IPv4 addresses in the<vspace /> <li>ipv4only.arpa.</li>
<xref target="SUv4">IPv4 Special-Purpose Address Registry</xref>: <li>170.0.0.192.in&nbhy;addr.arpa.</li>
<list style='empty'> <li>171.0.0.192.in&nbhy;addr.arpa.</li>
<t>192.0.0.170</t> </ul>
<t>192.0.0.171</t> <t>IANA has recorded the following IPv4 addresses in the
</list> <xref target="SUv4" format="default">IANA IPv4 Special-Purpose Address
Registry</xref>:
</t> </t>
<ul empty="true" spacing="compact">
<?rfc subcompact="no" ?> <li>192.0.0.170</li>
<li>192.0.0.171</li>
</ul>
</section> </section>
<section title="Domain Name Reservation Considerations"> <section numbered="true" toc="default">
<name>Domain Name Reservation Considerations</name>
<section title="Special Use Domain Name 'ipv4only.arpa'"> <section numbered="true" toc="default">
<t>The name 'ipv4only.arpa' is defined, <xref target="RFC7050">by IETF s <name>Special Use Domain Name 'ipv4only.arpa'</name>
pecification</xref>, to have <t>The name 'ipv4only.arpa' is defined, <xref target="RFC7050"
format="default">by IETF specification</xref>, to have
two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171.</t> two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171.</t>
<t>When queried via a <xref target="RFC6147" format="default">DNS64
<t>When queried via a <xref target="RFC6147">DNS64</xref> recursive reso recursive resolver</xref>, the name
lver, the name
'ipv4only.arpa' is also defined to have IPv6 AAAA records, 'ipv4only.arpa' is also defined to have IPv6 AAAA records,
with rdata synthesized from a combination of the NAT64 IPv6 prefix(es) with rdata synthesized from a combination of the NAT64 IPv6 prefix(es)
and the IPv4 addresses 192.0.0.170 and 192.0.0.171. and the IPv4 addresses 192.0.0.170 and 192.0.0.171.
This can return more than one pair of IPv6 addresses This can return more than one pair of IPv6 addresses
if there are multiple NAT64 prefixes.</t> if there are multiple NAT64 prefixes.</t>
<t>The name 'ipv4only.arpa' has no other IPv4 or IPv6 address
<t>The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records.<v records.
space />
There are no subdomains of 'ipv4only.arpa'. All names falling below There are no subdomains of 'ipv4only.arpa'. All names falling below
'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).</t> 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).</t>
<t>The name 'ipv4only.arpa' is special to
</t>
<t>The name 'ipv4only.arpa' is special to<vspace /> <ol type="a">
(a) client software wishing to perform DNS64 address synthesis,<vspace / <li>client software wishing to perform DNS64 address synthesis,
> </li>
(b) APIs responsible for retrieving the correct information, and<vspace <li>APIs responsible for retrieving the correct information, and
/> </li>
(c) the DNS64 recursive resolver responding to such requests.<vspace /> <li>the DNS64 recursive resolver responding to such requests.
These three considerations are listed in items 2, 3 and 4 below:</t> </li>
</ol>
<t> <t> These three considerations are listed in items 2, 3, and 4
<list style="numbers"> below:</t>
<t>Normal users should never have reason to encounter the 'ipv4only. <ol spacing="normal" type="1">
arpa' domain name. <li>Normal users should never have reason to encounter the
If they do, they should expect queries for 'ipv4only.arpa' to result 'ipv4only.arpa' domain name.
in If they do, they should expect queries for 'ipv4only.arpa' to
<xref target="RFC7050">the answers required by the specification</xr result in
ef>. <xref target="RFC7050" format="default">the answers required by
Normal users have no need to know that 'ipv4only.arpa' is special.</ the specification</xref>.
t> Normal users have no need to know that 'ipv4only.arpa' is
special.</li>
<t>Application software may explicitly use the name 'ipv4only.arpa' <li>Application software may explicitly use the name 'ipv4only.arpa'
for DNS64/NAT64 for DNS64/NAT64
address synthesis, and expect to get address synthesis and expect to get
<xref target="RFC7050">the answers required by the specification</xr <xref target="RFC7050" format="default">the answers required by
ef>. the specification</xref>.
If application software encounters the name 'ipv4only.arpa' in the n If application software encounters the name 'ipv4only.arpa' in the
ormal normal
course of handling user input, the application software should resol course of handling user input, the application software should
ve resolve
that name as usual and need not treat it in any special way.</t> that name as usual and need not treat it in any special way.</li>
<li>
<t>Name resolution APIs and libraries MUST recognize <t>Name resolution APIs and libraries <bcp14>MUST</bcp14>
'ipv4only.arpa' as special and MUST give it special treatment. recognize
<vspace blankLines="1"/> 'ipv4only.arpa' as special and <bcp14>MUST</bcp14> give it special
Learning a network's NAT64 prefix is by its nature an interface-spec treatment.
ific </t>
operation, and the special DNS query used to learn this interface-sp <t>
ecific Learning a network's NAT64 prefix is, by its nature, an
NAT64 prefix MUST be sent to the interface-specific
DNS recursive resolver address(es) the client learned via the config operation, and the special DNS query used to learn this
uration interface-specific
NAT64 prefix <bcp14>MUST</bcp14> be sent to the
DNS recursive resolver address(es) the client learned via the
configuration
machinery for that specific client interface. machinery for that specific client interface.
The NAT64 prefix is a per-interface property, not a per-device prope The NAT64 prefix is a per-interface property, not a per-device
rty. property.
<vspace blankLines="1"/>
Regardless of any manual client DNS configuration, DNS overrides
configured by VPN client software, or any other mechanisms that infl
uence
the choice of the client's recursive resolver address(es)
(including client devices that run their own local recursive resolve
r and use
the loopback address as their configured recursive resolver address)
all queries for 'ipv4only.arpa' and any subdomains of that name
MUST be sent to the recursive resolver learned from the network inte
rface in question
via <xref target="RFC8106">IPv6 Router Advertisement Options for DNS
Configuration</xref>,
<xref target="RFC3646">DNS Configuration options for DHCPv6</xref>,
or other configuration mechanisms.
Because DNS queries for 'ipv4only.arpa' are actually a special middl
ebox
communication protocol, it is essential that they go to the correct
middlebox
for the interface in question, and failure to honor this requirement
would cause failure of
the <xref target="RFC7050">NAT64 Prefix Discovery mechanism</xref>.
<vspace blankLines="1"/>
One implication of this is that, on multi-homed devices
(devices that allow more than one logical or physical IP
interface to be active at the same time, e.g., cellular data and Wi-
Fi,
or one physical interface plus a VPN connection),
clients MUST use interface-aware name resolution APIs.
On different (logical or physical) interfaces, different DNS64 answe
rs may be received,
and DNS64 answers are only valid for the interface on which they wer
e received.
On multi-homed devices (including devices that support VPN),
name resolution APIs that do not include interface parameters will n
ot work reliably with NAT64.
On single-homed devices, interface-unaware name resolution APIs
are acceptable since when only one interface can be active
at a time there is no need to specify an interface.
<vspace blankLines="1"/>
DNSSEC-capable resolvers MUST NOT attempt to validate answers receiv
ed
in response to queries for the IPv6 AAAA address records for 'ipv4on
ly.arpa',
since, by definition, any such answers are generated by the local ne
twork's
DNS64/NAT64 gateway, not the authoritative server responsible for th
at name.
</t> </t>
<t>
<?rfc needLines="5" ?> Regardless of any manual client DNS configuration, DNS overrides
<t>For the purposes of this section, recursive resolvers fall into t configured by VPN client software, or any other mechanisms that
wo categories. influence the choice of the client's recursive resolver
The first category is traditional recursive resolvers, which include address(es) (including client devices that run their own local
s recursive resolver and use the loopback address as their
*forwarding* recursive resolvers, as commonly implemented in residen configured recursive resolver address), all queries for
tial home gateways, 'ipv4only.arpa' and any subdomains of that name
<bcp14>MUST</bcp14> be sent to the recursive resolver learned from
the network interface in question via <xref target="RFC8106"
format="default">IPv6 Router Advertisement Options for DNS
Configuration</xref>, <xref target="RFC3646" format="default">DNS
Configuration options for DHCPv6</xref>, or other configuration
mechanisms. Because DNS queries for 'ipv4only.arpa' are actually
a special middlebox communication protocol, it is essential that
they go to the correct middlebox for the interface in question,
and failure to honor this requirement would cause failure of the
<xref target="RFC7050" format="default">NAT64 Prefix Discovery
mechanism</xref>.
</t>
<t>
One implication of this is that, on multihomed devices (devices
that allow more than one logical or physical IP interface to be
active at the same time, e.g., cellular data and Wi-Fi, or one
physical interface plus a VPN connection), clients
<bcp14>MUST</bcp14> use interface-aware name resolution APIs. On
different (logical or physical) interfaces, different DNS64
answers may be received, and DNS64 answers are only valid for the
interface on which they were received. On multihomed devices
(including devices that support VPN), name resolution APIs that do
not include interface parameters will not work reliably with
NAT64. On single-homed devices, interface-unaware name resolution
APIs are acceptable since when only one interface can be active at
a time, there is no need to specify an interface.
</t>
<t>
DNSSEC-capable resolvers <bcp14>MUST NOT</bcp14> attempt to
validate answers received in response to queries for the IPv6 AAAA
address records for 'ipv4only.arpa' since, by definition, any
such answers are generated by the local network's DNS64/NAT64
gateway, not the authoritative server responsible for that name.
</t>
</li>
<li>
<t>For the purposes of this section, recursive resolvers fall into
two categories.
The first category is traditional recursive resolvers, which
includes
*forwarding* recursive resolvers, as commonly implemented in
residential home gateways,
and *iterative* recursive resolvers, as commonly deployed by ISPs. and *iterative* recursive resolvers, as commonly deployed by ISPs.
More information on these terms can be found in <xref target="RFC849 The second category is DNS64 recursive resolvers, whose purpose is
9">DNS Terminology</xref>. to synthesize IPv6 address records.
The second category is DNS64 recursive resolvers, whose purpose is t These may be *forwarding* DNS64 recursive resolvers or *iterative*
o synthesize IPv6 address records. DNS64 recursive resolvers,
These may be *forwarding* DNS64 recursive resolvers or *iterative* D and they work in partnership with a companion NAT64 gateway to
NS64 recursive resolvers, communicate the appropriate
and they work in partnership with a companion NAT64 gateway to commu
nicate the appropriate
NAT64 address synthesis prefix to clients. NAT64 address synthesis prefix to clients.
<vspace blankLines="1" /> More information on these terms can be found in
Traditional forwarding recursive resolvers SHOULD NOT recognize 'ipv <xref target="RFC8499" format="default">the DNS Terminology
4only.arpa' document</xref>.
as special or give that name, or subdomains of that name, any specia </t>
l treatment. <t>
The rationale for this is that a traditional forwarding recursive re Traditional forwarding recursive resolvers <bcp14>SHOULD
solver, NOT</bcp14> recognize 'ipv4only.arpa'
such as built in to a residential home gateway, may itself be downst as special or give that name, or subdomains of that name, any
ream of a DNS64 recursive resolver. special treatment.
Passing through the 'ipv4only.arpa' queries to the upstream DNS64 re The rationale for this is that a traditional forwarding recursive
cursive resolver will allow resolver,
such as built in to a residential home gateway, may itself be
downstream of a DNS64 recursive resolver.
Passing through the 'ipv4only.arpa' queries to the upstream DNS64
recursive resolver will allow
the correct NAT64 prefix to be discovered. the correct NAT64 prefix to be discovered.
<vspace blankLines="1" /> </t>
<t>
Traditional iterative recursive resolvers that are not explicitly Traditional iterative recursive resolvers that are not explicitly
configured to synthesize IPv6 prefixes on behalf of a companion NAT6 configured to synthesize IPv6 prefixes on behalf of a companion
4 gateway NAT64 gateway
need not recognize 'ipv4only.arpa' as special or take any special ac need not recognize 'ipv4only.arpa' as special or take any special
tion. action.
<vspace blankLines="1" /> </t>
Forwarding or iterative recursive resolvers <t>
that have been explicitly configured to perform DNS64 address synthe Forwarding or iterative recursive resolvers that have been
sis explicitly configured to perform DNS64 address synthesis in
in support of a companion NAT64 gateway (i.e, "DNS64 recursive resol support of a companion NAT64 gateway (i.e., "DNS64 recursive
vers") resolvers") <bcp14>MUST</bcp14> recognize 'ipv4only.arpa' as
MUST recognize 'ipv4only.arpa' as special. special. The authoritative name servers for 'ipv4only.arpa'
The authoritative name servers for 'ipv4only.arpa' cannot be cannot be expected to know the local network's NAT64 address
expected to know the local network's NAT64 address synthesis prefix, synthesis prefix, so consulting the authoritative name servers for
so consulting the authoritative name servers for IPv6 address record IPv6 address records for 'ipv4only.arpa' is futile. All DNS64
s for 'ipv4only.arpa' is futile. recursive resolvers <bcp14>MUST</bcp14> recognize 'ipv4only.arpa'
All DNS64 recursive resolvers MUST recognize 'ipv4only.arpa' (and al (and all of its subdomains) as special, and they <bcp14>MUST
l of its subdomains) as special, NOT</bcp14> attempt to look up NS records for 'ipv4only.arpa' or
and MUST NOT attempt to look up NS records for 'ipv4only.arpa', otherwise query authoritative name servers in an attempt to
or otherwise query authoritative name servers in an attempt to resol resolve this name. Instead, DNS64 recursive resolvers
ve this name. <bcp14>MUST</bcp14> act as authoritative for this zone, by
Instead, DNS64 recursive resolvers MUST act generating immediate responses for all queries for 'ipv4only.arpa'
as authoritative for this zone, by generating immediate responses fo (and any subdomain of 'ipv4only.arpa'), with the one exception of
r all queries queries for the DS record. Queries for the DS record are resolved
for 'ipv4only.arpa' (and any subdomain of 'ipv4only.arpa'), with the the usual way to allow a client to securely verify that the
one 'ipv4only.arpa' zone has an insecure delegation. Note that this
exception of queries for the DS record. exception is not expected to receive widespread usage, since any
Queries for the DS record are resolved the usual way to allow a clie client compliant with this specification already knows that
nt 'ipv4only.arpa' is an insecure delegation and will not attempt
to securely verify that the 'ipv4only.arpa' zone has an insecure del DNSSEC validation for this name.
egation. </t>
Note that this exception is not expected to receive widespread usage <t>
, DNS64 recursive resolvers <bcp14>MUST</bcp14> generate
since any client compliant with this specification already knows tha the 192.0.0.170 and 192.0.0.171 responses for IPv4 address queries
t (DNS qtype "A"),
'ipv4only.arpa' is an insecure delegation and will not attempt DNSSE the appropriate synthesized IPv6 address record responses for IPv6
C validation for this name. address queries (DNS qtype "AAAA"),
<vspace blankLines="1" /> and a negative ("no&nbsp;error&nbsp;no&nbsp;answer") response for
DNS64 recursive resolvers MUST generate all other query types except DS.
the 192.0.0.170 and 192.0.0.171 responses for IPv4 address queries ( </t>
DNS qtype "A"), <t>
the appropriate synthesized IPv6 address record responses for IPv6 a For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers
ddress queries (DNS qtype "AAAA"), <bcp14>MUST</bcp14> generate immediate NXDOMAIN responses.
and a negative ("no&nbsp;error&nbsp;no&nbsp;answer") response for al All names falling below 'ipv4only.arpa' are defined to be
l other query types except DS. nonexistent.
<vspace blankLines="1" /> </t>
For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers MUS <t>
T generate immediate NXDOMAIN responses. An example configuration for BIND 9 showing how to achieve the
All names falling below 'ipv4only.arpa' are defined to be nonexisten desired result
t.
<vspace blankLines="1" />
An example configuration for BIND 9 showing how to achieve the desir
ed result
is given in <xref target="app-a" format="none">Appendix A</xref>. is given in <xref target="app-a" format="none">Appendix A</xref>.
<vspace blankLines="1" />
Note that this is *not* a locally served zone in the usual sense of
that term
<xref target="RFC6303"/> because this rule applies *only* to DNS64 r
ecursive resolvers,
not to forwarding DNS recursive resolvers.
</t> </t>
<t>
<t>Authoritative name server software need not recognize Note that this is *not* a locally served zone in the usual sense
'ipv4only.arpa' as special or handle it in any special way.</t> of that term
<xref target="RFC6303" format="default"/> because this rule
<t>Generally speaking, operators of authoritative name servers need applies *only* to DNS64 recursive resolvers,
not know anything about the name 'ipv4only.arpa', just as they do no not to traditional forwarding or iterative recursive resolvers.
t need
to know anything about any other names they are not responsible for.
Only the administrators of the 'arpa' namespace need to be aware
of this name's purpose and how it should be configured.
In particular, 'ipv4only.arpa' MUST have the required records, and
MUST be an insecure delegation,
to allow DNS64 recursive resolvers to create synthesized AAAA answer
s
within that zone. Making the 'ipv4only.arpa' zone a secure delegatio
n would make it impossible
for DNS64 recursive resolvers to create synthesized AAAA answers tha
t
will be accepted by DNSSEC validating clients, thereby defeating the
entire purpose of the 'ipv4only.arpa' name.
</t> </t>
</li>
<t>DNS Registries/Registrars need not know anything about <li>Authoritative name server software need not recognize
'ipv4only.arpa' as special or handle it in any special way.</li>
<li>Generally speaking, operators of authoritative name servers need
not know anything about the name 'ipv4only.arpa', just as they do
not need to know anything about any other names they are not
responsible for. Only the administrators of the 'arpa' namespace
need to be aware of this name's purpose and how it should be
configured. In particular, 'ipv4only.arpa' <bcp14>MUST</bcp14> have
the required records, and <bcp14>MUST</bcp14> be an insecure
delegation, to allow DNS64 recursive resolvers to create synthesized
AAAA answers within that zone. Making the 'ipv4only.arpa' zone a
secure delegation would make it impossible for DNS64 recursive
resolvers to create synthesized AAAA answers that will be accepted
by DNSSEC validating clients, thereby defeating the entire purpose
of the 'ipv4only.arpa' name.
</li>
<li>DNS Registries/Registrars need not know anything about
the name 'ipv4only.arpa', just as they do not need to know the name 'ipv4only.arpa', just as they do not need to know
anything about any other name they are not responsible for.</t> anything about any other name they are not responsible for.</li>
</list> </ol>
</t> </section>
<?rfc needLines="25" ?> <section numbered="true" toc="default">
</section> <name>Names '170.0.0.192.in&nbhy;addr.arpa' and
'171.0.0.192.in&nbhy;addr.arpa'</name>
<section title="Names '170.0.0.192.in&nbhy;addr.arpa' and '171.0.0.192.in& <t>Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to
nbhy;addr.arpa'"> be special, and are listed in the <xref target="SUv4"
<t>Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined format="default">IANA IPv4 Special-Purpose Address Registry</xref>,
to be special, and are listed in the the
<xref target="SUv4">IPv4 Special-Purpose Address Registry</xref>, corresponding reverse mapping names in the in&nbhy;addr.arpa domain
the corresponding reverse mapping names in the in&nbhy;addr.arpa domain
are similarly special.</t> are similarly special.</t>
<t>The name '170.0.0.192.in&nbhy;addr.arpa' is defined, <xref
target="RFC7050" format="default">by IETF specification</xref>, to
have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t>
<t>The name '171.0.0.192.in&nbhy;addr.arpa' is defined, <xref
target="RFC7050" format="default">by IETF specification</xref>, to
have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t>
<t>There are no subdomains of '170.0.0.192.in&nbhy;addr.arpa' or
'171.0.0.192.in&nbhy;addr.arpa'. All names falling below these names
are defined to be nonexistent (NXDOMAIN).</t>
<t>Practically speaking, these two names are rarely used, but to the
extent that they may be, they are special only to resolver APIs and
libraries, as described in item 3 below:
<t>The name '170.0.0.192.in&nbhy;addr.arpa' is defined, <xref target="RF
C7050">by IETF specification</xref>,
to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t>
<t>The name '171.0.0.192.in&nbhy;addr.arpa' is defined, <xref target="RF
C7050">by IETF specification</xref>,
to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.</t>
<t>There are no subdomains of '170.0.0.192.in&nbhy;addr.arpa' or '171.0.
0.192.in&nbhy;addr.arpa'.
All names falling below these names are defined to be nonexistent (NXDOM
AIN).</t>
<t>Practically speaking these two names are rarely used, but to the exte
nt that
they may be, they are special only to resolver APIs and libraries, as
described in item 3 below:
<list style="numbers">
<t>Normal users should never have reason to encounter these two reve
rse mapping names.
However, if they do, queries for these reverse mapping names should
return the expected answer 'ipv4only.arpa'.
Normal users have no need to know that these reverse mapping names a
re special.</t>
<t>Application software SHOULD NOT recognize these two reverse mappi
ng
names as special, and SHOULD NOT treat them differently.<vspace />
For example, if the user were to issue the Unix command "host&nbsp;1
92.0.0.170"
then the "host" command should call the name resolution API or libra
ry as usual and display the
result that is returned.</t>
<t>Name resolution APIs and libraries SHOULD recognize these two rev
erse
mapping names as special and generate the required responses locally
.
For the names '170.0.0.192.in&nbhy;addr.arpa' and '171.0.0.192.in&nb
hy;addr.arpa'
PTR queries yield the result 'ipv4only.arpa';
all other query types yield a negative ("no&nbsp;error&nbsp;no&nbsp;
answer") response.
For all subdomains of these two reverse mapping domains, all queries
yield an NXDOMAIN response.
All names falling below these two reverse mapping domains are define
d to be nonexistent.
<vspace blankLines="1" />
This local self-contained generation of these responses is to avoid
placing unnecessary load on the authoritative 'in&nbhy;addr.arpa' na
me servers.</t>
<?rfc needLines="12" ?>
<t>Recursive resolvers SHOULD NOT recognize these two reverse mappin
g
names as special and SHOULD NOT, by default, give them any special t
reatment.</t>
<t>Authoritative name server software need not recognize
these two reverse mapping names as special or handle them in any spe
cial way.</t>
<t>Generally speaking, most operators of authoritative name servers
need
not know anything about these two reverse mapping names, just as the
y do not need
to know anything about any other names they are not responsible for.
Only the operators of the authoritative name servers for these two r
everse mapping names
need to be aware that these names are special, and require fixed ans
wers specified by IETF specification.</t>
<t>DNS Registries/Registrars need not know anything about
these two reverse mapping names, just as they do not need to know
anything about any other name they are not responsible for.</t>
</list>
</t> </t>
<ol spacing="normal" type="1">
<li>Normal users should never have reason to encounter these two
reverse mapping names. However, if they do, queries for these
reverse mapping names should return the expected answer
'ipv4only.arpa'. Normal users have no need to know that these
reverse mapping names are special.</li>
<li>
<t>Application software <bcp14>SHOULD NOT</bcp14> recognize these
two reverse mapping names as special and <bcp14>SHOULD
NOT</bcp14> treat them differently. For example, if the
user were to issue the Unix command "host&nbsp;192.0.0.170", then
the "host" command should call the name resolution API or library
as usual and display the result that is returned.</t>
</li>
<li>
<t>Name resolution APIs and libraries <bcp14>SHOULD</bcp14>
recognize these two reverse mapping names as special and generate
the required responses locally. For the names
'170.0.0.192.in&nbhy;addr.arpa' and
'171.0.0.192.in&nbhy;addr.arpa', PTR queries yield the result
'ipv4only.arpa'; all other query types yield a negative
("no&nbsp;error&nbsp;no&nbsp;answer") response. For all
subdomains of these two reverse mapping domains, all queries yield
an NXDOMAIN response. All names falling below these two reverse
mapping domains are defined to be nonexistent.
</t>
<t>
This local self-contained generation of these responses is to
avoid
placing unnecessary load on the authoritative 'in&nbhy;addr.arpa'
name servers.</t>
</li>
<li>Recursive resolvers <bcp14>SHOULD NOT</bcp14> recognize these
two reverse mapping
names as special and <bcp14>SHOULD NOT</bcp14>, by default, give
them any special treatment.</li>
<li>Authoritative name server software need not recognize
these two reverse mapping names as special or handle them in any
special way.</li>
<li>Generally speaking, most operators of authoritative name servers
need
not know anything about these two reverse mapping names, just as
they do not need
to know anything about any other names they are not responsible
for.
Only the operators of the authoritative name servers for these two
reverse mapping names
need to be aware that these names are special, and require fixed
answers specified by IETF specification.</li>
<li>DNS Registries/Registrars need not know anything about
these two reverse mapping names, just as they do not need to know
anything about any other name they are not responsible for.</li>
</ol>
<?rfc needLines="27" ?> <section numbered="true" toc="default">
<section title="ip6.arpa Reverse Mapping PTR Records"> <name>ip6.arpa Reverse Mapping PTR Records</name>
<t>For all IPv6 addresses synthesized by a DNS64 recursive resolver, <t>For all IPv6 addresses synthesized by a DNS64 recursive resolver,
the DNS64 recursive resolver is responsible for the DNS64 recursive resolver is responsible for
synthesizing the appropriate 'ip6.arpa' reverse mapping PTR records to synthesizing the appropriate 'ip6.arpa' reverse mapping PTR records
o, too,
if it chooses to provide reverse mapping PTR records. if it chooses to provide reverse mapping PTR records.
The same applies to the synthesized IPv6 addresses corresponding The same applies to the synthesized IPv6 addresses corresponding
to the IPv4 addresses 192.0.0.170 and 192.0.0.171.</t> to the IPv4 addresses 192.0.0.170 and 192.0.0.171.</t>
<t>Generally, a DNS64 recursive resolver synthesizes
<t>Generally a DNS64 recursive resolver synthesizes
appropriate 'ip6.arpa' reverse mapping PTR records by extracting appropriate 'ip6.arpa' reverse mapping PTR records by extracting
the embedded IPv4 address from the encoded IPv6 address, the embedded IPv4 address from the encoded IPv6 address,
performing a reverse mapping PTR query for that IPv4 address, performing a reverse mapping PTR query for that IPv4 address,
and then synthesizing a corresponding 'ip6.arpa' reverse mapping and then synthesizing a corresponding 'ip6.arpa' reverse mapping
PTR record containing the same rdata.</t> PTR record containing the same rdata.</t>
<?rfc needLines="20" ?>
<t>In the case of synthesized IPv6 addresses corresponding <t>In the case of synthesized IPv6 addresses corresponding
to the IPv4 addresses 192.0.0.170 and 192.0.0.171, to the IPv4 addresses 192.0.0.170 and 192.0.0.171,
the DNS64 recursive resolver does not issue reverse mapping queries the DNS64 recursive resolver does not issue reverse mapping queries
for those IPv4 addresses, but instead, according to rule 3 above, for those IPv4 addresses, but instead, according to rule 3 above,
immediately returns the answer 'ipv4only.arpa'.</t> immediately returns the answer 'ipv4only.arpa'.</t>
<t>In the case of a client that uses the 'ipv4only.arpa' query to
<t>In the case of a client that uses the 'ipv4only.arpa' query to disc discover the
over the IPv6 prefixes in use by the local NAT64 gateway, and then proceeds
IPv6 prefixes in use by the local NAT64 gateway, and then proceeds to to perform
perform its own address synthesis locally (which has benefits such as
its own address synthesis locally (which has benefits such as allowing allowing DNSSEC validation),
DNSSEC validation), that client <bcp14>MUST</bcp14> also synthesize 'ip6.arpa' reverse
that client MUST also synthesize 'ip6.arpa' reverse mapping PTR mapping PTR
records for those discovered prefix(es), according to the rules above: records for those discovered prefix(es), according to the rules
above:
When a client's name resolution APIs and libraries receive a request When a client's name resolution APIs and libraries receive a request
to look up an 'ip6.arpa' reverse mapping PTR record for an address tha to look up an 'ip6.arpa' reverse mapping PTR record for an address
t that
falls within one of the discovered NAT64 address synthesis prefixes, falls within one of the discovered NAT64 address synthesis prefixes,
the software extracts the embedded IPv4 address and then, the software extracts the embedded IPv4 address and then,
for IPv4 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answ for IPv4 addresses 192.0.0.170 and 192.0.0.171, returns the fixed
er 'ipv4only.arpa', answer 'ipv4only.arpa',
and for all other IPv4 addresses performs a reverse mapping PTR query and for all other IPv4 addresses, performs a reverse mapping PTR
for query for
the IPv4 address, and then synthesizes a corresponding 'ip6.arpa' the IPv4 address and then synthesizes a corresponding 'ip6.arpa'
reverse mapping PTR record containing the same rdata.</t> reverse mapping PTR record containing the same rdata.</t>
<?rfc needLines="38" ?>
</section> </section>
</section> </section>
</section> </section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for devising
the <xref target="RFC7050">NAT64 Prefix Discovery mechanism</xref>,
and for their feedback on this document.</t>
<t>Thanks to Geoff Huston for his feedback on this document.</t>
<t>Thanks to Erik Kline for pointing out that the in&nbhy;addr.arpa names
are special too.</t>
<t>Thanks to Mark Andrews for conclusively pointing out the reasons why th
e 'ipv4only.arpa'
zone must be an insecure delegation in order for the
<xref target="RFC7050">NAT64 Prefix Discovery mechanism</xref> to work,
and many other very helpful comments.</t>
<t>Thanks particularly to Lorenzo Colitti for an especially spirited hallw
ay discussion at
IETF 96 in Berlin, which lead directly to significant improvements in how
this
document presents the issues.</t>
<t>Thanks to Scott Bradner, Bernie Volz, Barry Leiba, Mirja Kühlewind, Sur
esh Krishnan,
Benjamin Kaduk, Roman Danyliw, Éric Vyncke and the other IESG reviewers fo
r their thoughtful feedback.</t>
<t>Thanks to Dave Thaler and Warren Kumari for generously helping
shepherd this document through the publication process.</t>
</section>
</middle> </middle>
<back> <back>
<?rfc needLines="38" ?> <references>
<references title="Normative References"> <name>References</name>
<?rfc include="reference.RFC.2119" ?> <references>
<?rfc include="reference.RFC.3646" ?> <name>Normative References</name>
<?rfc include="reference.RFC.6146" ?> <xi:include
<?rfc include="reference.RFC.6147" ?> href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
<?rfc include="reference.RFC.6761" ?> 2119.xml"/>
<?rfc include="reference.RFC.7050" ?> <xi:include
<?rfc include="reference.RFC.8106" ?> href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
<?rfc include="reference.RFC.8174" ?> 3646.xml"/>
</references> <xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
<references title="Informative References"> 6146.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
6147.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
6761.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
7050.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
8106.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
8174.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
6303.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
8244.xml"/>
<xi:include
href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.
8499.xml"/>
<?rfc include="reference.RFC.6303" ?> <reference anchor="SUDN"
<?rfc include="reference.RFC.8244" ?> target="https://www.iana.org/assignments/special-use-domain-na
<?rfc include="reference.RFC.8499" ?> mes/">
<front>
<title>Special-Use Domain Names</title>
<author>
<organization>IANA
</organization>
</author>
</front>
</reference>
<reference anchor="SUDN" <reference anchor="SUv4"
target="https://www.iana.org/assignments/special-use-domain-names/"> target="https://www.iana.org/assignments/iana-ipv4-special-reg
<front> istry/">
<title>Special-Use Domain Names Registry</title> <front>
<author/> <title>IANA IPv4 Special-Purpose Address Registry</title>
<date/>
</front>
</reference>
<reference anchor="SUv4" <author>
target="https://www.iana.org/assignments/iana-ipv4-special-registry/"> <organization>IANA
<front> </organization>
<title>IANA IPv4 Special-Purpose Address Registry</title> </author>
<author/> </front>
<date/> </reference>
</front>
</reference>
<reference anchor="DNS1" <reference anchor="DNS1" target="https://1.1.1.1/">
target="https://1.1.1.1/"> <front>
<front> <title>1.1.1.1 - The free app that makes your Internet
<title>1.1.1.1 - The free app that makes your Internet safer</title> safer.</title>
<author/> <author>
<date/> <organization>Cloudflare
</front> </organization>
</reference> </author>
</front>
</reference>
<reference anchor="DNS8" <reference anchor="DNS8"
target="https://developers.google.com/speed/public-dns/"> target="https://developers.google.com/speed/public-dns/">
<front> <front>
<title>Google Public DNS</title> <title>Google Public DNS</title>
<author/> <author>
<date/> <organization>Google
</front> </organization>
</reference> </author>
</front>
</reference>
<reference anchor="DNS9" <reference anchor="DNS9" target="https://quad9.net/">
target="https://quad9.net/"> <front>
<front> <title>Internet Security and Privacy In a Few Easy Steps</title>
<title>Quad9 - Internet Security and Privacy In a Few Easy Steps</titl <author>
e> <organization>Quad9
<author/> </organization>
<date/> </author>
</front>
</reference>
</front>
</reference>
</references>
</references> </references>
<section anchor="app-a" numbered="true" toc="default">
<?rfc needLines="40" ?> <name>Example BIND 9 Configuration</name>
<section anchor="app-a" title="Example BIND 9 Configuration">
<t>A BIND 9 recursive resolver can be configured to <t>A BIND 9 recursive resolver can be configured to
act as authoritative for the necessary DNS64 names as described below.</t> act as authoritative for the necessary DNS64 names as described
below.</t>
<t>In /etc/named.conf the following line is added: <t>In /etc/named.conf, the following line is added:
<figure><artwork> </t>
zone "ipv4only.arpa" { type master; file "ipv4only"; };</artwork><
/figure></t>
<artwork name="" type="" align="left" alt=""><![CDATA[
zone "ipv4only.arpa" { type master; file "ipv4only"; };]]></artwor
k>
<t>The file /var/named/ipv4only is created with the following content: <t>The file /var/named/ipv4only is created with the following content:
<figure><artwork> </t>
<artwork name="" type="" align="left" alt=""><![CDATA[
$TTL 86400 ; Default TTL 24 hours $TTL 86400 ; Default TTL 24 hours
@ IN SOA nameserver.example. admin.nameserver.example. ( @ IN SOA nameserver.example. admin.nameserver.example. (
2016052400 ; Serial 2016052400 ; Serial
7200 ; Refresh ( 7200 = 2 hours) 7200 ; Refresh ( 7200 = 2 hours)
3600 ; Retry ( 3600 = 1 hour) 3600 ; Retry ( 3600 = 1 hour)
15724800 ; Expire (15724800 = 6 months) 15724800 ; Expire (15724800 = 6 months)
60 ; Minimum 60 ; Minimum
) )
@ IN NS nameserver.example. @ IN NS nameserver.example.
@ IN A 192.0.0.170 @ IN A 192.0.0.170
@ IN A 192.0.0.171 @ IN A 192.0.0.171
@ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix
@ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here</artwork></fi @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here]]></artwork>
gure></t> </section>
<section anchor="Acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t>Thanks to <contact fullname="Jouni Korhonen"/>, <contact
fullname="Teemu Savolainen"/>, and <contact fullname="Dan Wing"/>, for
devising the <xref
target="RFC7050" format="default">NAT64 Prefix Discovery
mechanism</xref> and for their feedback on this document.</t>
<t>Thanks to <contact fullname="Geoff Huston"/> for his feedback on this
document.</t>
<t>Thanks to <contact fullname="Erik Kline"/> for pointing out that the
in&nbhy;addr.arpa names are special, too.</t>
<t>Thanks to <contact fullname="Mark Andrews"/> for conclusively
pointing out the reasons why the 'ipv4only.arpa' zone must be an
insecure delegation in order for the <xref target="RFC7050"
format="default">NAT64 Prefix Discovery mechanism</xref> to
work and for
many other very helpful comments.</t>
<t>Thanks particularly to <contact fullname="Lorenzo Colitti"/> for an
especially spirited hallway discussion at IETF 96 in Berlin, which lead
directly to significant improvements in how this document presents the
issues.</t>
<t>Thanks to <contact fullname="Scott Bradner"/>, <contact
fullname="Bernie Volz"/>, <contact fullname="Barry Leiba"/>, <contact
fullname="Mirja Kuehlewind"/>, <contact fullname="Suresh Krishnan"/>,
<contact fullname="Benjamin Kaduk"/>, <contact fullname="Roman
Danyliw"/>, <contact fullname="Eric Vyncke"/>, and the
other IESG reviewers for their thoughtful feedback.</t>
<t>Thanks to <contact fullname="Dave Thaler"/> and <contact
fullname="Warren Kumari"/> for generously helping shepherd this document
through the publication process.</t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 124 change blocks. 
830 lines changed or deleted 817 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/