idnits 2.17.1 draft-cheshire-sudn-ipv4only-dot-arpa-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC7050]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 20 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC7050, but the abstract doesn't seem to directly say this. It does mention RFC7050 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 23, 2018) is 1983 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Cheshire 3 Internet-Draft Apple Inc. 4 Updates: 7050 (if approved) D. Schinazi 5 Intended status: Standards Track October 23, 2018 6 Expires: April 26, 2019 8 Special Use Domain Name 'ipv4only.arpa' 9 draft-cheshire-sudn-ipv4only-dot-arpa-13 11 Abstract 13 The specification for how a client discovers its local network's 14 NAT64 prefix [RFC7050] defines the special name 'ipv4only.arpa' for 15 this purpose, but in its Domain Name Reservation Considerations 16 section that specification indicates that the name actually has no 17 particularly special properties would require special handling, and 18 does not request IANA to record the name in the Special-Use Domain 19 Names registry. 21 Consequently, despite the well articulated special purpose of the 22 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 23 Names registry as a name with special properties. 25 As a result of this omission, in cases where software needs to give 26 this name special treatment in order for it to work correctly, there 27 was no clear mandate authorizing software authors to implement that 28 special treatment. Software implementers were left with the choice 29 between not implementing the special behavior necessary for the name 30 queries to work correctly, or implementing the special behavior and 31 being accused of being noncompliant with some RFC. 33 This document describes the special treatment required, formally 34 declares the special properties of the name, and adds similar 35 declarations for the corresponding reverse mapping names. 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at http://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on April 26, 2019. 54 Copyright Notice 56 Copyright (c) 2018 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (http://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with respect 64 to this document. Code Components extracted from this document must 65 include Simplified BSD License text as described in Section 4.e of 66 the Trust Legal Provisions and are provided without warranty as 67 described in the Simplified BSD License. 69 1. Introduction 71 The specification for how a client discovers its local network's 72 NAT64 prefix [RFC7050] defines the special name 'ipv4only.arpa' for 73 this purpose, but in its Domain Name Reservation Considerations 74 section that specification indicates that the name actually has no 75 particularly special properties would require special handling, and 76 does not request IANA to record the name in the Special-Use Domain 77 Names registry [SUDN]. 79 Consequently, despite the well articulated special purpose of the 80 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 81 Names registry [SUDN] as a name with special properties. 83 This omission was discussed in the Special-Use Domain Names Problem 84 Statement [RFC8244]. 86 As a result of this omission, in cases where software needs to give 87 this name special treatment in order for it to work correctly, there 88 was no clear mandate authorizing software authors to implement that 89 special treatment. Software implementers were left with the choice 90 between not implementing the special behavior necessary for the name 91 queries to work correctly, or implementing the special behavior and 92 being accused of being noncompliant with some RFC. 94 This document describes the special treatment required, formally 95 declares the special properties of the name, and adds similar 96 declarations for the corresponding reverse mapping names. 98 2. Conventions and Terminology Used in this Section 100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", 102 and "OPTIONAL" in this section are to be interpreted as described 103 in "Key words for use in RFCs to Indicate Requirement Levels", 104 when, and only when, they appear in all capitals, as shown here 105 [RFC2119] [RFC8174]. 107 3. Specialness of 'ipv4only.arpa' 109 The hostname 'ipv4only.arpa' is peculiar in that it was never 110 intended to be treated like a normal hostname. 112 A typical client never looks up the IPv4 address records for 113 'ipv4only.arpa', because it is already known, by specification 114 [RFC7050], to have exactly two IPv4 address records, 192.0.0.170 and 115 192.0.0.171. No client ever has to look up the name in order to 116 learn those two addresses. 118 In contrast, clients often look up the IPv6 AAAA address records for 119 'ipv4only.arpa', which is contrary to general DNS expectations, given 120 that it is already known, by specification [RFC7050], that no such 121 IPv6 AAAA address records exist. And yet, clients expect to receive, 122 and do in fact receive, positive answers for these IPv6 AAAA address 123 records that are known to not exist. 125 This is clearly not a typical DNS name. In normal operation, clients 126 never query for the two records that do in fact exist; instead 127 clients query for records that are known to not exist, and then get 128 positive answers to those abnormal queries. Clients are using DNS to 129 perform queries for this name, but they are certainly not using DNS 130 to learn legitimate answers from the name's legitimate authoritative 131 server. Instead, the DNS protocol has, in effect, been co-opted as 132 an impromptu client-to-middlebox communication protocol, to 133 communicate with the NAT64/DNS64 [RFC6146] [RFC6147] gateway, if 134 present, and request that it disclose the prefix it is using for IPv6 135 address synthesis. 137 It is this use of specially-crafted DNS queries as an impromptu 138 client-to-middlebox communication protocol that makes the name 139 'ipv4only.arpa' most definitely a special name, and one that needs to 140 be listed in IANA's registry along with other DNS names that have 141 special uses [SUDN]. 143 4. Consequences of 'ipv4only.arpa' not being declared special 145 As a result of the original specification [RFC7050] not formally 146 declaring 'ipv4only.arpa' to have special properties, there was no 147 clear mandate for DNS software to treat this name specially. 148 Consequently, queries for this name had to be handled normally, 149 resulting in unnecessary IPv6 address record queries (DNS qtype 150 "AAAA", always returning negative responses) and IPv4 address record 151 queries (DNS qtype "A", always returning the same positive responses) 152 to the authoritative 'arpa' name servers. 154 Having millions of devices around the world issue these queries 155 generated additional load on the authoritative 'arpa' name servers, 156 which was redundant when the name 'ipv4only.arpa' is defined, by 157 Internet Standard, to have exactly two IPv4 address records, 158 192.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address 159 records. 161 Also, at times, for reasons that remain unclear, the authoritative 162 'arpa' name servers have been observed to be slow or unresponsive. 163 The failures of these 'ipv4only.arpa' queries result in unnecessary 164 failures of software that depends on them for DNS64 [RFC6147] address 165 synthesis. 167 Even when the authoritative 'arpa' name servers are operating 168 correctly, having to perform an unnecessary query to obtain an answer 169 that is already known in advance can add precious milliseconds of 170 delay. 172 A more serious problem occurs when a device is configured to use a 173 recursive resolver other than the one it learned from the network. 175 Typically a device joining a NAT64 network will learn the recursive 176 resolver recommended for that network either via IPv6 Router 177 Advertisement Options for DNS Configuration [RFC8106] or via DNS 178 Configuration options for DHCPv6 [RFC3646]. On a NAT64 network it is 179 essential that the client use the DNS64 recursive resolver 180 recommended for that network, since only that recursive resolver can 181 be relied upon to know the appropriate prefix(es) to use for 182 synthesizing IPv6 addresses that will be acceptable to the NAT64 183 gateway. 185 However, it is increasingly common for users to manually override 186 their default DNS configuration because they wish to use some other 187 public recursive resolver on the Internet, which may offer better 188 speed, better reliability, or better privacy than the local network's 189 default recursive resolver. At the time of writing, examples of 190 widely known public recursive resolver services include 1.1.1.1, 191 8.8.8.8, and 9.9.9.9. 193 Another common scenario is the use of corporate VPN client software. 194 The local network's recursive resolver will typically be unable to 195 provide answers for the company's private internal host names, so VPN 196 client software overrides the local network's default configuration, 197 to divert some or all DNS requests to the company's own private 198 internal recursive resolver, reached through the VPN tunnel. As with 199 the case described above of public recursive resolver services, the 200 company's private internal recursive resolver cannot be expected to 201 be able to synthesize IPv6 addresses correctly for use with the local 202 network's NAT64 gateway, because the company's private internal 203 recursive resolver is unlikely to be aware of the NAT64 prefix in use 204 on the NAT64 network to which the client device is currently 205 attached. It is clear that a single recursive resolver cannot meet 206 both needs. The local network's recursive resolver cannot give 207 answers for some company's private internal host names, and some 208 company's private internal recursive resolver cannot give correctly 209 synthesized IPv6 addresses suitable for the local network's NAT64 210 gateway. 212 The conflict here arises because DNS is being used for two unrelated 213 purposes. The first purpose is retrieving data from a (nominally) 214 global database -- generally retrieving the IP address(es) associated 215 with a hostname. The second purpose is using the DNS protocol as a 216 middlebox communication protocol, to interrogate the local network 217 infrastructure to discover the IPv6 prefix(es) in use by the local 218 NAT64 gateway for address synthesis. 220 This document leverages operational experience to update the Domain 221 Name Reservation Considerations [RFC6761] section of the earlier 222 specification [RFC7050] with one that accurately lists the actual 223 special properties of the name 'ipv4only.arpa', so that software can 224 legitimately implement the correct behavior necessary for better 225 performance, better reliability, and correct operation. 227 5. Security Considerations 229 One of the known concerns with DNS64 is that it conflicts with 230 DNSSEC. If DNSSEC is used to assert cryptographically that a name 231 has no IPv6 AAAA records, then this interferes with using DNS64 232 address synthesis to assert that those nonexistent IPv6 AAAA records 233 do exist. 235 Section 3 of the DNS64 specification [RFC6147] discusses this: 237 ... DNS64 receives a query with the DO bit set and 238 the CD bit set. In this case, the DNS64 is supposed 239 to pass on all the data it gets to the query initiator. 240 This case will not work with DNS64, unless the 241 validating resolver is prepared to do DNS64 itself. 243 The NAT64 Prefix Discovery specification [RFC7050] provides the 244 mechanism for the query initiator to learn the NAT64 prefix so that 245 it can do its own validation and DNS64 synthesis as described above. 246 With this mechanism the client can (i) interrogate the local NAT64/ 247 DNS64 gateway with an 'ipv4only.arpa' query to learn the IPv6 address 248 synthesis prefix, (ii) query for the (signed) IPv4 address records 249 itself, and validate the response, and then (iii) perform its own 250 IPv6 address synthesis locally, combining the IPv6 address synthesis 251 prefix learned from the local NAT64/DNS64 gateway with the validated 252 DNSSEC-signed data learned from the global Domain Name System. 254 It is conceivable that over time, if DNSSEC adoption continues to 255 grow, the majority of clients could move to this validate-and- 256 synthesize-locally model, which reduces the DNS64 machinery to the 257 vestigial role of simply responding to the 'ipv4only.arpa' query to 258 report the local IPv6 address synthesis prefix. In no case does the 259 client care what answer(s) the authoritative 'arpa' name servers 260 might give for that query. The 'ipv4only.arpa' query is being used 261 purely as a local client-to-middlebox communication message. 263 This approach is even more attractive if it does not create an 264 additional dependency on the authoritative 'arpa' name servers to 265 answer a query that is unnecessary because the NAT64/DNS64 gateway 266 already knows the answer before it even issues the query. Avoiding 267 this unnecessary query improves performance and reliability for the 268 client, and reduces unnecessary load for the authoritative 'arpa' 269 name servers. 271 Hard-coding the known answers for 'ipv4only.arpa' IPv4 address record 272 queries (DNS qtype "A") in recursive resolvers also reduces the risk 273 of malicious devices intercepting those queries and returning 274 incorrect answers. Because the 'ipv4only.arpa' zone has to be an 275 insecure delegation (see below) DNSSEC cannot be used to protect 276 these answers from tampering by malicious devices on the path. 278 With respect to the question of whether 'ipv4only.arpa' should be a 279 secure or insecure delegation, there are two paths through the 280 network to consider: The path from the authoritative server to the 281 DNS64 recursive resolver, and the path from the DNS64 recursive 282 resolver to the ultimate client. On either or both paths there may 283 be one or more DNS64-unaware recursive resolvers. 285 The path from the authoritative server to the DNS64 recursive 286 resolver (queries for IPv4 address records) need not be protected by 287 DNSSEC, because the DNS64 recursive resolver already knows, by 288 specification, what the answers are. In principle, if this were a 289 secure delegation, and 'ipv4only.arpa' were a signed zone, then the 290 path from the authoritative server to the DNS64 recursive resolver 291 would still work, but DNSSEC is not necessary here. Run-time 292 cryptographic signatures are not needed to verify compile-time 293 constants. 295 The path from the DNS64 recursive resolver to the ultimate client 296 (queries for IPv6 address records) *cannot* be protected by DNSSEC, 297 because the DNS64 recursive resolver is synthesizing IPv6 address 298 answers, and does not possess the secret key required to sign those 299 answers. 301 Consequently, the 'ipv4only.arpa' zone MUST be an insecure 302 delegation, to give NAT64/DNS64 gateways the freedom to synthesize 303 answers to those queries at will, without the answers being rejected 304 by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow 305 this specification MUST NOT attempt to validate answers received in 306 response to queries for the IPv6 AAAA address records for 307 'ipv4only.arpa'. 309 The original NAT64 Prefix Discovery specification [RFC7050] stated, 310 incorrectly: 312 A signed "ipv4only.arpa." allows validating DNS64 servers 313 (see [RFC6147] Section 3, Case 5, for example) to detect 314 malicious AAAA resource records. Therefore, the zone 315 serving the well-known name has to be protected with DNSSEC. 317 This document updates the previous specification [RFC7050] to correct 318 that error. The 'ipv4only.arpa' zone MUST be an insecure delegation. 320 6. IANA Considerations 322 [Once published] IANA has recorded the following names in the 323 Special-Use Domain Names registry [SUDN]: 325 ipv4only.arpa. 326 170.0.0.192.in-addr.arpa. 327 171.0.0.192.in-addr.arpa. 329 IANA has recorded the following IPv4 addresses in the 330 IPv4 Special-Purpose Address Registry [SUv4]: 332 192.0.0.170 333 192.0.0.171 335 7. Domain Name Reservation Considerations 337 7.1. Special Use Domain Name 'ipv4only.arpa' 339 The name 'ipv4only.arpa' is defined, by Internet Standard, to have 340 two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171. 342 When queried via a DNS64 [RFC6147] recursive resolver, the name 343 'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata 344 synthesized from a combination of the NAT64 IPv6 prefix(es) and the 345 IPv4 addresses 192.0.0.170 and 192.0.0.171. This can return more 346 than one pair of IPv6 addresses if there are multiple NAT64 prefixes. 348 The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records. 349 There are no subdomains of 'ipv4only.arpa'. All names falling below 350 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN). 352 The name 'ipv4only.arpa' is special to 353 (a) client software wishing to perform DNS64 address synthesis, 354 (b) APIs responsible for retrieving the correct information, and 355 (c) the DNS64 recursive resolver responding to such requests. 356 These three considerations are listed in items 2, 3 and 4 below: 358 1. Normal users should never have reason to encounter the 359 'ipv4only.arpa' domain name. If they do, they should expect 360 queries for 'ipv4only.arpa' to result in the answers required by 361 the specification [RFC7050]. Normal users have no need to know 362 that 'ipv4only.arpa' is special. 364 2. Application software may explicitly use the name 'ipv4only.arpa' 365 for NAT64/DNS64 address synthesis, and expect to get the answers 366 required by the specification [RFC7050]. If application software 367 encounters the name 'ipv4only.arpa' in the normal course of 368 handling user input, the application software should resolve that 369 name as usual and need not treat it in any special way. 371 3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' 372 as special and MUST give it special treatment. 374 Learning a network's NAT64 prefix is by its nature an interface- 375 specific operation, and the special DNS query used to learn this 376 interface-specific NAT64 prefix MUST be sent to the DNS recursive 377 resolver address(es) the client learned via the configuration 378 machinery for that specific client interface. One implication of 379 this is that, on any host with multiple physical interfaces 380 (e.g., cellular data and Wi-Fi) and/or multiple virtual 381 interfaces (e.g., VPN tunnels), for a client to learn the NAT64 382 prefix in use on a particular interface, the DNS name resolution 383 APIs used to look up the IPv6 addresses for 'ipv4only.arpa' MUST 384 include a parameter for the client to specify on which interface 385 to perform this query. The NAT64 prefix is a per-interface 386 property, not a per-device property. 388 Regardless of any manual client DNS configuration, DNS overrides 389 configured by VPN client software, or any other mechanisms that 390 influence the choice of the client's recursive resolver 391 address(es) (including client devices that run their own local 392 recursive resolver and use the loopback address as their 393 configured recursive resolver address) all queries for 394 'ipv4only.arpa' and any subdomains of that name MUST be sent to 395 the recursive resolver learned from the network interface in 396 question via IPv6 Router Advertisement Options for DNS 397 Configuration [RFC8106] or via DNS Configuration options for 398 DHCPv6 [RFC3646]. Because DNS queries for 'ipv4only.arpa' are 399 actually a special middlebox communication protocol, it is 400 essential that they go to the correct middlebox for the interface 401 in question, and failure to honor this requirement would cause 402 failure of the NAT64 Prefix Discovery mechanism [RFC7050]. 404 DNSSEC-capable resolvers MUST NOT attempt to validate answers 405 received in response to queries for the IPv6 AAAA address records 406 for 'ipv4only.arpa', since, by definition, any such answers are 407 generated by the local network's NAT64/DNS64 gateway, not the 408 authoritative server responsible for that name. 410 4. For the purposes of this section, recursive resolvers fall into 411 two categories. The first category is the traditional recursive 412 resolvers that are in widespread use today. The second category 413 is DNS64 recursive resolvers, whose purpose is to synthesize IPv6 414 address records. 416 Traditional recursive resolvers SHOULD NOT recognize 417 'ipv4only.arpa' as special or give that name, or subdomains of 418 that name, any special treatment. The rationale for this is that 419 a traditional recursive resolver, such as built in to a home 420 gateway, may itself be downstream of a DNS64 recursive resolver. 421 Passing through the 'ipv4only.arpa' queries to the upstream DNS64 422 recursive resolver will allow the correct NAT64 prefix to be 423 discovered. 425 All DNS64 recursive resolvers MUST recognize 'ipv4only.arpa' as 426 special and MUST NOT attempt to look up NS records for it, or 427 otherwise query authoritative name servers in an attempt to 428 resolve this name. Instead, DNS64 recursive resolvers MUST act 429 as authoritative for this domain and generate immediate responses 430 for all such queries. 432 DNS64 recursive resolvers MUST generate the 192.0.0.170 and 433 192.0.0.171 responses for IPv4 address queries (DNS qtype "A"), 434 the appropriate synthesized IPv6 address record responses for 435 IPv6 address queries (DNS qtype "AAAA"), and a negative 436 ("no error no answer") response for all other query types. 438 For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers 439 MUST generate immediate NXDOMAIN responses. All names falling 440 below 'ipv4only.arpa' are defined to be nonexistent. 442 An example configuration for BIND 9 showing how to achieve the 443 desired result is given in Appendix A. 445 Note that this is *not* a locally served zone in the usual sense 446 of that term [RFC6303] because this rule applies *only* to DNS64 447 recursive resolvers, not *all* DNS recursive resolvers. 449 5. Traditional authoritative name server software need not recognize 450 'ipv4only.arpa' as special or handle it in any special way. 451 Recursive resolvers SHOULD routinely act as authoritative for 452 this name and return the results described above. Only the 453 administrators of the 'arpa' namespace need to explicitly 454 configure their actual authoritative name servers to be 455 authoritative for this name and to generate the appropriate 456 answers; all other authoritative name servers will not be 457 configured to know anything about this name and will reject 458 queries for it, as they would reject queries for any other name 459 about which they have no information. 461 6. Generally speaking, operators of authoritative name servers need 462 not know anything about the name 'ipv4only.arpa', just as they do 463 not need to know anything about any other names they are not 464 responsible for. Operators of authoritative name servers who are 465 configuring their name servers to be authoritative for this name 466 MUST understand that 'ipv4only.arpa' is a special name, with 467 records rigidly specified by Internet Standard (generally this 468 applies only to the administrators of the 'arpa' namespace). 470 7. DNS Registries/Registrars need not know anything about the name 471 'ipv4only.arpa', just as they do not need to know anything about 472 any other name they are not responsible for. Only the 473 administrators of the 'arpa' namespace need to be aware of this 474 name's purpose and how it should be configured. In particular, 475 'ipv4only.arpa' MUST be created as an insecure delegation, to 476 allow DNS64 recursive resolvers to create synthesized AAAA 477 answers within that zone. Making the 'ipv4only.arpa' zone a 478 secure delegation would make it impossible for DNS64 recursive 479 resolvers to create synthesized AAAA answers that won't fail 480 DNSSEC validation, thereby defeating the entire purpose of the 481 'ipv4only.arpa' name. 483 7.2. Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa' 485 Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to 486 be special, and are listed in the IPv4 Special-Purpose Address 487 Registry [SUv4], the corresponding reverse mapping names in the 488 in-addr.arpa domain are similarly special. 490 The name '170.0.0.192.in-addr.arpa' is defined, by Internet Standard, 491 to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'. 493 The name '171.0.0.192.in-addr.arpa' is defined, by Internet Standard, 494 to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'. 496 There are no subdomains of '170.0.0.192.in-addr.arpa' or 497 '171.0.0.192.in-addr.arpa'. All names falling below these names are 498 defined to be nonexistent (NXDOMAIN). 500 Practically speaking these two names are rarely used, but to the 501 extent that they may be, they are special only to resolver APIs and 502 libraries, as described in item 3 below: 504 1. Normal users should never have reason to encounter these two 505 reverse mapping names. However, if they do, queries for these 506 reverse mapping names should return the expected answer 507 'ipv4only.arpa'. Normal users have no need to know that these 508 reverse mapping names are special. 510 2. Application software SHOULD NOT recognize these two reverse 511 mapping names as special, and SHOULD NOT treat them differently. 513 For example, if the user were to issue the Unix command 514 "host 192.0.0.170" then the "host" command should call the name 515 resolution API or library as usual and display the result that is 516 returned. 518 3. Name resolution APIs and libraries SHOULD recognize these two 519 reverse mapping names as special and generate the required 520 responses locally. For the names '170.0.0.192.in-addr.arpa' and 521 '171.0.0.192.in-addr.arpa' PTR queries yield the result 522 'ipv4only.arpa'; all other query types yield a negative 523 ("no error no answer") response. For all subdomains of these two 524 reverse mapping domains, all queries yield an NXDOMAIN response. 525 All names falling below these two reverse mapping domains are 526 defined to be nonexistent. 528 This local self-contained generation of these responses is to 529 avoid placing unnecessary load on the authoritative 530 'in-addr.arpa' name servers. 532 4. Recursive resolvers SHOULD NOT recognize these two reverse 533 mapping names as special and SHOULD NOT, by default, give them 534 any special treatment. 536 5. Traditional authoritative name server software need not recognize 537 these two reverse mapping names as special or handle them in any 538 special way. 540 As a practical matter, only the administrators of the 541 '192.in-addr.arpa' namespace will configure their name servers to 542 be authoritative for these names and to generate the appropriate 543 answers; all other authoritative name servers will not be 544 configured to know anything about these names and will reject 545 queries for them as they would reject queries for any other name 546 about which they have no information. 548 6. Generally speaking, operators of authoritative name servers need 549 not know anything about these two reverse mapping names, just as 550 they do not need to know anything about any other names they are 551 not responsible for. Operators of authoritative name servers who 552 are configuring their name servers to be authoritative for this 553 name MUST understand that these two reverse mapping names are 554 special, with answers specified by Internet Standard (generally 555 this applies only to the administrators of the '192.in-addr.arpa' 556 namespace). 558 7. DNS Registries/Registrars need not know anything about these two 559 reverse mapping names, just as they do not need to know anything 560 about any other name they are not responsible for. Only the 561 administrators of the '192.in-addr.arpa' namespace need to be 562 aware of the purpose of these two names. 564 7.2.1. ip6.arpa Reverse Mapping PTR Records 566 For all IPv6 addresses synthesized by a DNS64 recursive resolver, the 567 DNS64 recursive resolver is responsible for synthesizing the 568 appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses 569 to provide reverse mapping PTR records. The same applies to the 570 synthesized IPv6 addresses corresponding to the IPv4 addresses 571 192.0.0.170 and 192.0.0.171. 573 Generally a DNS64 recursive resolver synthesizes appropriate 574 'ip6.arpa' reverse mapping PTR records by extracting the embedded 575 IPv4 address from the encoded IPv6 address, performing a reverse 576 mapping PTR query for that IPv4 address, and then synthesizing a 577 corresponding 'ip6.arpa' reverse mapping PTR record containing the 578 same rdata. 580 In the case of synthesized IPv6 addresses corresponding to the IPv4 581 addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver 582 does not issue reverse mapping queries for those IPv4 addresses, but 583 instead, according to rule 3 above, immediately returns the answer 584 'ipv4only.arpa'. 586 In the case of a client that uses the 'ipv4only.arpa' query to 587 discover the IPv6 prefixes in use by the local NAT64 gateway, and 588 then proceeds to perform its own address synthesis locally (which has 589 benefits such as allowing DNSSEC validation), that client MUST also 590 synthesize 'ip6.arpa' reverse mapping PTR records for those 591 discovered prefix(es), according to the rules above: When a client's 592 name resolution APIs and libraries receive a request to look up an 593 'ip6.arpa' reverse mapping PTR record for an address that falls 594 within one of the discovered NAT64 address synthesis prefixes, the 595 software extracts the embedded IPv4 address and then, for IPv4 596 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer 597 'ipv4only.arpa', and for all other IPv4 addresses performs a reverse 598 mapping PTR query for the IPv4 address, and then synthesizes a 599 corresponding 'ip6.arpa' reverse mapping PTR record containing the 600 same rdata. 602 8. Acknowledgements 604 Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for 605 devising the NAT64 Prefix Discovery mechanism [RFC7050], and for 606 their feedback on this document. 608 Thanks to Geoff Huston for his feedback on this document. 610 Thanks to Erik Kline for pointing out that the in-addr.arpa names are 611 special too. 613 Thanks to Marc Andrews for pointing out the reasons why the 614 'ipv4only.arpa' zone MUST be an insecure delegation in order for the 615 NAT64 Prefix Discovery mechanism [RFC7050] to work. 617 Thanks particularly to Lorenzo Colitti for an especially spirited 618 hallway discussion at IETF 96 in Berlin, which lead directly to 619 significant improvements in how this document presents the issues. 621 Thanks to Dave Thaler and Warren Kumari for generously helping 622 shepherd this document through the publication process. 624 9. References 626 9.1. Normative References 628 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 629 Requirement Levels", BCP 14, RFC 2119, 630 DOI 10.17487/RFC2119, March 1997, . 633 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 634 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 635 DOI 10.17487/RFC3646, December 2003, . 638 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 639 NAT64: Network Address and Protocol Translation from IPv6 640 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 641 April 2011, . 643 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 644 Beijnum, "DNS64: DNS Extensions for Network Address 645 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 646 DOI 10.17487/RFC6147, April 2011, . 649 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 650 RFC 6761, DOI 10.17487/RFC6761, February 2013, 651 . 653 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 654 the IPv6 Prefix Used for IPv6 Address Synthesis", 655 RFC 7050, DOI 10.17487/RFC7050, November 2013, 656 . 658 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 659 "IPv6 Router Advertisement Options for DNS Configuration", 660 RFC 8106, DOI 10.17487/RFC8106, March 2017, 661 . 663 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 664 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 665 May 2017, . 667 9.2. Informative References 669 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 670 RFC 6303, DOI 10.17487/RFC6303, July 2011, 671 . 673 [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain 674 Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244, 675 October 2017, . 677 [SUDN] "Special-Use Domain Names Registry", 678 . 681 [SUv4] "IANA IPv4 Special-Purpose Address Registry", 682 . 685 Appendix A. Example BIND 9 Configuration 687 A BIND 9 recursive resolver can be configured to act as authoritative 688 for the necessary DNS64 names as described below. 690 In /etc/named.conf the following line is added: 692 zone "ipv4only.arpa" { type master; file "ipv4only"; }; 694 The file /var/named/ipv4only is created with the following content: 696 $TTL 86400 ; Default TTL 24 hours 697 @ IN SOA nameserver.example. admin.nameserver.example. ( 698 2016052400 ; Serial 699 7200 ; Refresh ( 7200 = 2 hours) 700 3600 ; Retry ( 3600 = 1 hour) 701 15724800 ; Expire (15724800 = 6 months) 702 60 ; Minimum 703 ) 704 @ IN NS nameserver.example. 706 @ IN A 192.0.0.170 707 @ IN A 192.0.0.171 708 @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix 709 @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here 711 Authors' Addresses 713 Stuart Cheshire 714 Apple Inc. 715 One Apple Park Way 716 Cupertino, California 95014 717 USA 719 Phone: +1 (408) 996-1010 720 Email: cheshire@apple.com 722 David Schinazi 724 Email: dschinazi.ietf@gmail.com