idnits 2.17.1 draft-cheshire-sudn-ipv4only-dot-arpa-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC7050]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 20 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC7050, but the abstract doesn't seem to directly say this. It does mention RFC7050 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 2, 2018) is 2125 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6106 (Obsoleted by RFC 8106) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Cheshire 3 Internet-Draft D. Schinazi 4 Updates: 7050 (if approved) Apple Inc. 5 Intended status: Standards Track July 2, 2018 6 Expires: January 3, 2019 8 Special Use Domain Name 'ipv4only.arpa' 9 draft-cheshire-sudn-ipv4only-dot-arpa-10 11 Abstract 13 The specification for how a client discovers its network's NAT64 14 prefix [RFC7050] defines the special name 'ipv4only.arpa' for this 15 purpose, but declares it to be a non-special name in that 16 specification's Domain Name Reservation Considerations section. 18 Consequently, despite the well articulated special purpose of the 19 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 20 Names registry as a name with special properties. 22 As a result of this omission, in cases where software needs to give 23 this name special treatment in order for it to work correctly, there 24 was no clear mandate authorizing software authors to implement that 25 special treatment. Software implementers were left with the choice 26 between not implementing the special behavior necessary for the name 27 queries to work correctly, or implementing the special behavior and 28 being accused of being noncompliant with some RFC. 30 This document formally declares the actual special properties of the 31 name, and adds similar declarations for the corresponding reverse 32 mapping names. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on January 3, 2019. 50 Copyright Notice 52 Copyright (c) 2018 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 1. Introduction 67 The specification for how a client discovers its network's NAT64 68 prefix [RFC7050] defines the special name 'ipv4only.arpa' for this 69 purpose, but declares it to be a non-special name in that 70 specification's Domain Name Reservation Considerations section. 72 Consequently, despite the well articulated special purpose of the 73 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 74 Names registry [SUDN] as a name with special properties. 76 This omission was discussed in the Special-Use Domain Names Problem 77 Statement [RFC8244]. 79 As a result of this omission, in cases where software needs to give 80 this name special treatment in order for it to work correctly, there 81 was no clear mandate authorizing software authors to implement that 82 special treatment. Software implementers were left with the choice 83 between not implementing the special behavior necessary for the name 84 queries to work correctly, or implementing the special behavior and 85 being accused of being noncompliant with some RFC. 87 This document formally declares the actual special properties of the 88 name, and adds similar declarations for the corresponding reverse 89 mapping names. 91 2. Conventions and Terminology Used in this Section 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", 95 and "OPTIONAL" in this section are to be interpreted as described 96 in "Key words for use in RFCs to Indicate Requirement Levels", 97 when, and only when, they appear in all capitals, as shown here 98 [RFC2119] [RFC8174]. 100 3. Specialness of 'ipv4only.arpa' 102 The hostname 'ipv4only.arpa' is peculiar in that it was never 103 intended to be treated like a normal hostname. 105 A typical client never looks up the IPv4 address records for 106 'ipv4only.arpa', because it is already known, by specification 107 [RFC7050], to have exactly two IPv4 address records, 192.0.0.170 and 108 192.0.0.171. No client ever has to look up the name in order to 109 learn those two addresses. 111 In contrast, clients often look up the IPv6 AAAA address records for 112 'ipv4only.arpa', which is contrary to general DNS expectations, given 113 that it is already known, by specification [RFC7050], that no such 114 IPv6 AAAA address records exist. And yet, clients expect to receive, 115 and do in fact receive, positive answers for these IPv6 AAAA address 116 records that are known to not exist. 118 This is clearly not a typical DNS name. In normal operation, clients 119 never query for the two records that do in fact exist; instead they 120 query for records that are known to not exist, and then get positive 121 answers to those abnormal queries. Clients are using DNS to perform 122 queries for this name, but they are certainly not using DNS to learn 123 legitimate answers from the name's legitimate authoritative server. 124 Instead, these clients have, in effect, co-opted the DNS protocol as 125 an impromptu client-to-middlebox communication protocol, to 126 communicate with the NAT64/DNS64 [RFC6146] [RFC6147] gateway, if 127 present, and request that it disclose the prefix it is using for IPv6 128 address synthesis. 130 It is this use of specially-crafted DNS queries as an impromptu 131 client-to-middlebox communication protocol that makes the name 132 'ipv4only.arpa' most definitely a special name, and one that needs to 133 be listed in IANA's registry along with other DNS names that have 134 special uses [SUDN]. 136 4. Consequences of 'ipv4only.arpa' previously being declared unspecial 138 As a result of the original specification [RFC7050] not formally 139 declaring 'ipv4only.arpa' to have special properties, there was no 140 mandate for any DNS software to treat this name specially. 141 Consequently, queries for this name had to be handled normally, 142 resulting in unnecessary queries to the authoritative 'arpa' name 143 servers. 145 Having millions of devices around the world issue these queries 146 generated pointless additional load on the authoritative 'arpa' name 147 servers, which was completely unnecessary when the name 148 'ipv4only.arpa' is defined, by Internet Standard, to have exactly two 149 IPv4 address records, 192.0.0.170 and 192.0.0.171, and no other IPv4 150 or IPv6 address records. 152 Also, at times, for reasons that remain unclear, the authoritative 153 'arpa' name servers have been observed to be slow or unresponsive. 154 The failures of these 'ipv4only.arpa' queries result in unnecessary 155 failures of software that depends on them for DNS64 [RFC6147] address 156 synthesis. 158 Even when the authoritative 'arpa' name servers are operating 159 correctly, having to perform an unnecessary query to obtain an answer 160 that is already known in advance can add precious milliseconds of 161 delay for no reason. 163 A more serious problem occurs when a device is configured to use a 164 recursive resolver other than the one it learned from the network. 165 Typically a device joining a NAT64 network will learn the recursive 166 resolver recommended for that network either via IPv6 Router 167 Advertisement Options for DNS Configuration [RFC6106] or via DNS 168 Configuration options for DHCPv6 [RFC3646]. On a NAT64 network it is 169 essential that the client use the DNS64 recursive resolver 170 recommended for that network, since only that recursive resolver can 171 be relied upon to know the appropriate prefix(es) to use for 172 synthesizing IPv6 addresses that will be acceptable to the NAT64 173 gateway. 175 However, it is increasingly common for users to manually override 176 their default DNS configuration because they wish to use some other 177 public recursive resolver on the Internet, which may offer better 178 speed, better reliability, or better privacy than the local network's 179 default recursive resolver. At the time of writing, examples of 180 widely known public recursive resolver services include 1.1.1.1, 181 8.8.8.8, and 9.9.9.9. 183 Another common scenario is the use of corporate VPN client software, 184 which overrides the local network's default configuration to divert 185 DNS requests to the company's own private internal recursive 186 resolver, because the local network's recursive resolver will 187 typically be unable to provide answers for the company's private 188 internal host names. Similarly, the company's private internal 189 recursive resolver may not be able to synthesize IPv6 addresses 190 correctly for use with the local network's NAT64 gateway, because it 191 is unlikely to be aware of the NAT64 prefix in use on the local 192 network. It is clear that a single recursive resolver cannot meet 193 both needs. The local network's recursive resolver cannot give 194 answers for some company's private internal host names, and some 195 company's private internal recursive resolver cannot give correctly 196 synthesized IPv6 addresses suitable for the local network's NAT64 197 gateway. 199 The conflict here arises because DNS is being used for two unrelated 200 purposes. The first purpose is retrieving data from a (nominally) 201 global database -- generally retrieving the IP address(es) associated 202 with a hostname. The second purpose is using the DNS protocol as a 203 middlebox communication protocol, to interrogate the local network 204 infrastructure to discover the IPv6 prefix(es) in use by the local 205 NAT64 gateway for address synthesis. 207 Possibly this problem could have been avoided if we had forced all 208 NAT64 gateways to use the same Well-Known Prefix for IPv6 address 209 synthesis [RFC6052]. If the decision had been made to use a single 210 fixed Well-Known Prefix, then there would have been no need for 211 clients to discover the local network's NAT64 prefix, and no need for 212 the 'ipv4only.arpa' [RFC7050] query. However, that was not the 213 decision that was made. 215 This document leverages operational experience to update the Domain 216 Name Reservation Considerations [RFC6761] section of the earlier 217 specification [RFC7050] with one that accurately lists the actual 218 special properties of the name 'ipv4only.arpa', so that software can 219 legitimately implement the correct behavior necessary for better 220 performance, better reliability, and correct operation. 222 5. Security Considerations 224 Hard-coding the known answers for 'ipv4only.arpa' queries in 225 recursive resolvers reduces the risk of malicious devices 226 intercepting those queries and returning incorrect answers, 227 particularly in the case of recursive resolvers that do not perform 228 DNSSEC validation. 230 One of the known concerns with DNS64 [RFC6147] is that it interferes 231 with DNSSEC. DNSSEC may cryptographically assert that a name has no 232 IPv6 AAAA records, while at the same time DNS64 address synthesis is 233 contradicting this and claiming that IPv6 AAAA records do exist. 235 Section 3 of the DNS64 specification [RFC6147] discusses this: 237 ... DNS64 receives a query with the DO bit set and 238 the CD bit set. In this case, the DNS64 is supposed 239 to pass on all the data it gets to the query initiator. 240 This case will not work with DNS64, unless the 241 validating resolver is prepared to do DNS64 itself. 243 The NAT64 Prefix Discovery specification [RFC7050] provides the 244 mechanism for the query initiator to learn the NAT64 prefix so that 245 it can do its own validation and DNS64 synthesis as described above. 246 With this mechanism the client can (i) interrogate the local NAT64/ 247 DNS64 gateway with an 'ipv4only.arpa' query to learn the IPv6 address 248 synthesis prefix, (ii) query for the (signed) IPv4 address records 249 itself, and then (iii) perform its own IPv6 address synthesis 250 locally, combining the IPv6 address synthesis prefix learned from the 251 local NAT64/DNS64 gateway with the secure DNSSEC-signed data learned 252 from the global Domain Name System. 254 It is conceivable that over time, if DNSSEC is successful, the 255 majority of clients could move to this validate-and-synthesize- 256 locally model, which reduces the DNS64 machinery to the vestigial 257 role of simply responding to the 'ipv4only.arpa' query to report the 258 local IPv6 address synthesis prefix. In no case does the client care 259 what answer(s) the authoritative 'arpa' name servers might give for 260 that query. The 'ipv4only.arpa' query is being used purely as a 261 local client-to-middlebox communication message. 263 This approach is even more attractive if it does not create an 264 additional dependency on the authoritative 'arpa' name servers to 265 answer a query that is unnecessary because the NAT64/DNS64 gateway 266 already knows the answer before it even issues the query. Avoiding 267 this unnecessary query improves performance and reliability for the 268 client, and reduces unnecessary load for the authoritative 'arpa' 269 name servers. 271 Note that there are two security paths to consider here: The path 272 from the authoritative server to the DNS64 recursive resolver, and 273 the path from the DNS64 recursive resolver to the ultimate client. 274 On either or both paths there may be one or more DNS64-unaware 275 recursive resolvers. 277 The path from the authoritative server to the DNS64 recursive 278 resolver (queries for IPv4 address records) need not be protected by 279 DNSSEC, because the DNS64 recursive resolver already knows, by 280 specification, what the answers are. Run-time cryptographic 281 signatures are not needed to verify the value compile-time constants. 283 The path from the DNS64 recursive resolver to the ultimate client 284 (queries for IPv6 address records) *cannot* be protected by DNSSEC, 285 because the DNS64 recursive resolver is synthesizing IPv6 address 286 answers that cannot be assumed to be signed by the authoritative 287 server. 289 Consequently, the ipv4only.arpa zone MUST be an insecure delegation. 291 6. IANA Considerations 293 [Once published, this should say] 295 IANA has recorded the following names in the 296 Special-Use Domain Names registry [SUDN]: 298 ipv4only.arpa. 299 170.0.0.192.in-addr.arpa. 300 171.0.0.192.in-addr.arpa. 302 IANA has recorded the following IPv4 addresses in the 303 IPv4 Special-Purpose Address Registry [SUv4]: 305 192.0.0.170 306 192.0.0.171 308 7. Domain Name Reservation Considerations 310 7.1. Special Use Domain Name 'ipv4only.arpa' 312 The name 'ipv4only.arpa' is defined, by Internet Standard, to have 313 two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171. 315 When queried via a DNS64 [RFC6147] recursive resolver, the name 316 'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata 317 synthesized from a combination of the NAT64 IPv6 prefix(es) and the 318 IPv4 addresses 192.0.0.170 and 192.0.0.171. This can return more 319 than one pair of IPv6 addresses if there are multiple NAT64 prefixes. 321 The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records. 322 There are no subdomains of ipv4only.arpa. All names falling below 323 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN). 325 The name 'ipv4only.arpa' is special to 326 (a) client software wishing to perform DNS64 address synthesis, 327 (b) APIs responsible for retrieving the correct information, and 328 (c) the DNS64 recursive resolver responding to such requests. 329 These three considerations are listed in items 2, 3 and 4 below: 331 1. Normal users should never have reason to encounter the 332 'ipv4only.arpa' domain name. If they do, they should expect 333 queries for 'ipv4only.arpa' to result in the answers required by 334 the specification [RFC7050]. Normal users have no need to know 335 that 'ipv4only.arpa' is special. 337 2. Application software may explicitly use the name 'ipv4only.arpa' 338 for NAT64/DNS64 address synthesis, and expect to get the answers 339 required by the specification [RFC7050]. If application software 340 encounters the name 'ipv4only.arpa' in the normal course of 341 handling user input, the application software should resolve that 342 name as usual and need not treat it in any special way. 344 3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' 345 as special and MUST give it special treatment. Learning a 346 network's NAT64 prefix is by its nature an interface-specific 347 operation, and the special DNS query used to learn this 348 interface-specific NAT64 prefix MUST be sent to the DNS recursive 349 resolver address(es) the client learned via the configuration 350 machinery for that specific client interface. Regardless of any 351 manual client DNS configuration, DNS overrides configured by VPN 352 client software, or any other mechanisms that influence the 353 choice of the client's recursive resolver address(es) (including 354 client devices that run their own local recursive resolver and 355 use the loopback address as their configured recursive resolver 356 address) all queries for 'ipv4only.arpa' and any subdomains of 357 that name MUST be sent to the recursive resolver learned from the 358 network interface in question via IPv6 Router Advertisement 359 Options for DNS Configuration [RFC6106] or via DNS Configuration 360 options for DHCPv6 [RFC3646]. Because DNS queries for 361 'ipv4only.arpa' are actually a special middlebox communication 362 protocol, it is essential that they go to the correct middlebox 363 for the interface in question, and failure to honor this 364 requirement would cause failure of the NAT64 Prefix Discovery 365 mechanism [RFC7050]. 367 4. For the purposes of this section, recursive resolvers fall into 368 two categories. The first category is the traditional recursive 369 resolvers that are in widespread use today. The second category 370 is DNS64 recursive resolvers, whose purpose is to synthesize IPv6 371 address records. 373 Traditional recursive resolvers SHOULD NOT recognize 374 'ipv4only.arpa' as special or give that name, or subdomains of 375 that name, any special treatment. The rationale for this is that 376 a traditional recursive resolver, such as built in to a home 377 gateway, may itself be downstream of a DNS64 recursive resolver. 378 Passing though the 'ipv4only.arpa' queries to the upstream DNS64 379 recursive resolver will allow the correct NAT64 prefix to be 380 discovered. 382 All DNS64 recursive resolvers MUST recognize 'ipv4only.arpa' as 383 special and MUST NOT attempt to look up NS records for it, or 384 otherwise query authoritative name servers in an attempt to 385 resolve this name. Instead, DNS64 recursive resolvers MUST act 386 as authoritative for this domain and generate immediate responses 387 for all such queries. 389 DNS64 recursive resolvers MUST generate the 192.0.0.170 and 390 192.0.0.171 responses for IPv4 address queries (DNS qtype "A"), 391 the appropriate synthesized IPv6 address record responses for 392 IPv6 address queries (DNS qtype "AAAA"), and a negative 393 ("no error no answer") response for all other query types. 395 For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers 396 MUST generate immediate NXDOMAIN responses. All names falling 397 below 'ipv4only.arpa' are defined to be nonexistent. 399 An example configuration for BIND 9 showing how to achieve the 400 desired result is given in Appendix A. 402 Note that this is *not* a locally served zone in the usual sense 403 of that term [RFC6303] because this rule applies *only* to DNS64 404 recursive resolvers, not *all* DNS recursive resolvers. 406 5. Traditional authoritative name server software need not recognize 407 'ipv4only.arpa' as special or handle it in any special way. 408 Recursive resolvers SHOULD routinely act as authoritative for 409 this name and return the results described above. Only the 410 administrators of the 'arpa' namespace need to explicitly 411 configure their actual authoritative name servers to be 412 authoritative for this name and to generate the appropriate 413 answers; all other authoritative name servers will not be 414 configured to know anything about this name and will reject 415 queries for it, as they would reject queries for any other name 416 about which they have no information. 418 6. Generally speaking, operators of authoritative name servers need 419 not know anything about the name 'ipv4only.arpa', just as they do 420 not need to know anything about any other names they are not 421 responsible for. Operators of authoritative name servers who are 422 configuring their name servers to be authoritative for this name 423 MUST understand that 'ipv4only.arpa' is a special name, with 424 records rigidly specified by Internet Standard (generally this 425 applies only to the administrators of the 'arpa' namespace). 427 7. DNS Registries/Registrars need not know anything about the name 428 'ipv4only.arpa', just as they do not need to know anything about 429 any other name they are not responsible for. Only the 430 administrators of the 'arpa' namespace need to be aware of this 431 name's purpose and how it should be configured. In particular, 432 ipv4only.arpa MUST be created as an insecure delegation, to allow 433 DNS64 recursive resolvers to create synthesized AAAA answers 434 within that zone. Signing the ipv4only.arpa would make it 435 impossible for DNS64 recursive resolvers to create synthesized 436 AAAA answers that won't fail DNSSEC validation, thereby defeating 437 the entire purpose of ipv4only.arpa. 439 7.2. Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa' 441 Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to 442 be special, and are listed in the IPv4 Special-Purpose Address 443 Registry [SUv4], the corresponding reverse mapping names in the 444 in-addr.arpa domain are similarly special. 446 The name '170.0.0.192.in-addr.arpa' is defined, by Internet Standard, 447 to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'. 449 The name '171.0.0.192.in-addr.arpa' is defined, by Internet Standard, 450 to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'. 452 There are no subdomains of '170.0.0.192.in-addr.arpa' or 453 '171.0.0.192.in-addr.arpa'. All names falling below these names are 454 defined to be nonexistent (NXDOMAIN). 456 Practically speaking these two names are rarely used, but to the 457 extent that they may be, they are special only to recursive resolvers 458 as described in item 4 below: 460 1. Normal users should never have reason to encounter these two 461 reverse mapping names. However, if they do, queries for these 462 reverse mapping names should return the expected answer 463 'ipv4only.arpa'. Normal users have no need to know that these 464 reverse mapping names are special. 466 2. Application software SHOULD NOT recognize these two reverse 467 mapping names as special, and SHOULD NOT treat them differently. 468 For example, if the user were to issue the Unix command 469 "host 192.0.0.170" then the "host" command should issue the query 470 as usual and display the result that is returned. 472 3. Name resolution APIs and libraries SHOULD recognize these two 473 reverse mapping names as special and generate the required 474 responses locally. For the names '170.0.0.192.in-addr.arpa' and 475 '171.0.0.192.in-addr.arpa' PTR queries yield the result 476 'ipv4only.arpa'; all other query types yield a negative 477 ("no error no answer") response. For all subdomains of these two 478 reverse mapping domains, all queries yield an NXDOMAIN response. 479 All names falling below these two reverse mapping domains are 480 defined to be nonexistent. 482 This local self-contained generation of these responses is to 483 avoid placing unnecessary load on the authoritative 484 'in-addr.arpa' name servers. 486 4. Recursive resolvers SHOULD NOT recognize these two reverse 487 mapping names as special and SHOULD NOT, by default, give them 488 any special treatment. 490 5. Traditional authoritative name server software need not recognize 491 these two reverse mapping names as special or handle them in any 492 special way. 494 As a practical matter, only the administrators of the 495 '192.in-addr.arpa' namespace will configure their name servers to 496 be authoritative for these names and to generate the appropriate 497 answers; all other authoritative name servers will not be 498 configured to know anything about these names and will reject 499 queries for them as they would reject queries for any other name 500 about which they have no information. 502 6. Generally speaking, operators of authoritative name servers need 503 not know anything about these two reverse mapping names, just as 504 they do not need to know anything about any other names they are 505 not responsible for. Operators of authoritative name servers who 506 are configuring their name servers to be authoritative for this 507 name MUST understand that these two reverse mapping names are 508 special, with answers specified by Internet Standard (generally 509 this applies only to the administrators of the '192.in-addr.arpa' 510 namespace). 512 7. DNS Registries/Registrars need not know anything about these two 513 reverse mapping names, just as they do not need to know anything 514 about any other name they are not responsible for. Only the 515 administrators of the '192.in-addr.arpa' namespace need to be 516 aware of the purpose of these two names. 518 7.2.1. ip6.arpa Reverse Mapping PTR Records 520 For all IPv6 addresses synthesized by a DNS64 recursive resolver, the 521 DNS64 recursive resolver is responsible for synthesizing the 522 appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses 523 to provide reverse mapping PTR records. The same applies to the 524 synthesized IPv6 addresses corresponding to the IPv4 addresses 525 192.0.0.170 and 192.0.0.171. 527 Generally a DNS64 recursive resolver synthesizes appropriate 528 'ip6.arpa' reverse mapping PTR records by extracting the embedded 529 IPv4 address from the encoded IPv6 address, performing a reverse 530 mapping PTR query for that IPv4 address, and then synthesizing a 531 corresponding 'ip6.arpa' reverse mapping PTR record containing the 532 same rdata. 534 In the case of synthesized IPv6 addresses corresponding to the IPv4 535 addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver 536 does not issue reverse mapping queries for those IPv4 addresses, but 537 instead, according to rule 3 above, immediately returns the answer 538 'ipv4only.arpa'. 540 In the case of a client that uses the 'ipv4only.arpa' query to 541 discover the IPv6 prefixes in use by the local NAT64 gateway, and 542 then proceeds to perform its own address synthesis locally (which has 543 benefits such as allowing DNSSEC validation), that client MUST also 544 synthesize 'ip6.arpa' reverse mapping PTR records for those 545 discovered prefix(es), according to the rules above: When a client's 546 name resolution APIs and libraries receive a request to look up an 547 'ip6.arpa' reverse mapping PTR record for an address that falls 548 within one of the discovered NAT64 address synthesis prefixes, the 549 software extracts the embedded IPv4 address and then, for IPv4 550 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer 551 'ipv4only.arpa', and for all other IPv4 addresses performs a reverse 552 mapping PTR query for the IPv4 address, and then synthesizes a 553 corresponding 'ip6.arpa' reverse mapping PTR record containing the 554 same rdata. 556 8. Acknowledgements 558 Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for 559 devising the NAT64 Prefix Discovery mechanism [RFC7050], and for 560 their feedback on this document. Thanks to Geoff Huston for his 561 feedback on the draft, and to Erik Kline for pointing out that the 562 in-addr.arpa names are special too. Thanks particularly to Lorenzo 563 Colitti for an especially spirited hallway discussion at IETF 96 in 564 Berlin, which lead directly to significant improvements in how this 565 document presents the issues. 567 9. References 569 9.1. Normative References 571 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 572 Requirement Levels", BCP 14, RFC 2119, 573 DOI 10.17487/RFC2119, March 1997, . 576 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 577 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 578 DOI 10.17487/RFC3646, December 2003, . 581 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 582 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 583 DOI 10.17487/RFC6052, October 2010, . 586 [RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 587 "IPv6 Router Advertisement Options for DNS Configuration", 588 RFC 6106, DOI 10.17487/RFC6106, November 2010, 589 . 591 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 592 NAT64: Network Address and Protocol Translation from IPv6 593 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 594 April 2011, . 596 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 597 Beijnum, "DNS64: DNS Extensions for Network Address 598 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 599 DOI 10.17487/RFC6147, April 2011, . 602 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 603 RFC 6761, DOI 10.17487/RFC6761, February 2013, 604 . 606 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 607 the IPv6 Prefix Used for IPv6 Address Synthesis", 608 RFC 7050, DOI 10.17487/RFC7050, November 2013, 609 . 611 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 612 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 613 May 2017, . 615 9.2. Informative References 617 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 618 RFC 6303, DOI 10.17487/RFC6303, July 2011, 619 . 621 [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain 622 Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244, 623 October 2017, . 625 [SUDN] "Special-Use Domain Names Registry", 626 . 629 [SUv4] "IANA IPv4 Special-Purpose Address Registry", 630 . 633 Appendix A. Example BIND 9 Configuration 635 A BIND 9 recursive resolver can be configured to act as authoritative 636 for the necessary DNS64 names as described below. 638 In /etc/named.conf the following line is added: 640 zone "ipv4only.arpa" { type master; file "ipv4only"; }; 642 The file /var/named/ipv4only is created with the following content: 644 $TTL 86400 ; Default TTL 24 hours 645 @ IN SOA nameserver.example. admin.nameserver.example. ( 646 2016052400 ; Serial 647 7200 ; Refresh ( 7200 = 2 hours) 648 3600 ; Retry ( 3600 = 1 hour) 649 15724800 ; Expire (15724800 = 6 months) 650 60 ; Minimum 651 ) 652 @ IN NS nameserver.example. 654 @ IN A 192.0.0.170 655 @ IN A 192.0.0.171 656 @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix 657 @ IN AAAA 64:ff9b::192.0.0.171 ; place actual NAT64 prefix here 659 Authors' Addresses 661 Stuart Cheshire 662 Apple Inc. 663 One Apple Park Way 664 Cupertino, California 95014 665 USA 667 Phone: +1 (408) 996-1010 668 Email: cheshire@apple.com 670 David Schinazi 671 Apple Inc. 672 One Apple Park Way 673 Cupertino, California 95014 674 USA 676 Email: dschinazi@apple.com