idnits 2.17.1 draft-cheshire-sudn-ipv4only-dot-arpa-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 20 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 21, 2020) is 1525 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 8499 (Obsoleted by RFC 9499) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Cheshire 3 Internet-Draft Apple Inc. 4 Updates: 7050 (if approved) D. Schinazi 5 Intended status: Standards Track Google LLC 6 Expires: August 24, 2020 February 21, 2020 8 Special Use Domain Name 'ipv4only.arpa' 9 draft-cheshire-sudn-ipv4only-dot-arpa-16 11 Abstract 13 The specification for how a client discovers its local network's 14 NAT64 prefix (RFC7050) defines the special name 'ipv4only.arpa' for 15 this purpose, but in its Domain Name Reservation Considerations 16 section that specification indicates that the name actually has no 17 particularly special properties would require special handling, and 18 does not request IANA to record the name in the Special-Use Domain 19 Names registry. 21 Consequently, despite the well articulated special purpose of the 22 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 23 Names registry as a name with special properties. 25 This document describes the special treatment required, formally 26 declares the special properties of the name, adds similar 27 declarations for the corresponding reverse mapping names, and updates 28 RFC7050. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on August 24, 2020. 47 Copyright Notice 49 Copyright (c) 2020 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 65 2. Specialness of 'ipv4only.arpa' . . . . . . . . . . . . . . . 3 66 3. Consequences of 'ipv4only.arpa' not being declared special . 4 67 4. Remedies . . . . . . . . . . . . . . . . . . . . . . . . . . 6 68 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 70 7. Domain Name Reservation Considerations . . . . . . . . . . . 10 71 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 73 Appendix A. Example BIND 9 Configuration . . . . . . . . . . . . 19 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 76 1. Introduction 78 The specification for how a client discovers its local network's 79 NAT64 prefix [RFC7050] defines the special name 'ipv4only.arpa' for 80 this purpose, but in its Domain Name Reservation Considerations 81 section that specification indicates that the name actually has no 82 particularly special properties would require special handling, and 83 does not request IANA to record the name in the Special-Use Domain 84 Names registry [SUDN]. 86 Consequently, despite the well articulated special purpose of the 87 name, 'ipv4only.arpa' was not recorded in the Special-Use Domain 88 Names registry [SUDN] as a name with special properties. 90 This omission was discussed in the Special-Use Domain Names Problem 91 Statement [RFC8244]. 93 As a result of this omission, in cases where software needs to give 94 this name special treatment in order for it to work correctly, there 95 was no clear mandate authorizing software authors to implement that 96 special treatment. Software implementers were left with the choice 97 between not implementing the special behavior necessary for the name 98 queries to work correctly, or implementing the special behavior and 99 being accused of being noncompliant with some RFC. 101 This document describes the special treatment required, formally 102 declares the special properties of the name, and adds similar 103 declarations for the corresponding reverse mapping names. 105 1.1. Conventions and Terminology 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", 109 and "OPTIONAL" in this section are to be interpreted as described 110 in "Key words for use in RFCs to Indicate Requirement Levels", 111 when, and only when, they appear in all capitals, as shown here 112 [RFC2119] [RFC8174]. 114 2. Specialness of 'ipv4only.arpa' 116 The hostname 'ipv4only.arpa' is peculiar in that it was never 117 intended to be treated like a normal hostname. 119 A typical client never looks up the IPv4 address records for 120 'ipv4only.arpa', because it is already known, by IETF specification 121 [RFC7050], to have exactly two IPv4 address records, 192.0.0.170 and 122 192.0.0.171. No client ever has to look up the name in order to 123 learn those two addresses. 125 In contrast, clients often look up the IPv6 AAAA address records for 126 'ipv4only.arpa', which is contrary to general DNS expectations, given 127 that it is already known, by IETF specification [RFC7050], that 128 'ipv4only.arpa' is an IPv4-only name, which has no IPv6 AAAA address 129 records. And yet, clients expect to receive, and do in fact receive, 130 positive answers for these IPv6 AAAA address records that apparently 131 should not exist. 133 This is clearly not a typical DNS name. In normal operation, clients 134 never query for the two records that do in fact exist; instead 135 clients query for records that are known to not exist, and then get 136 positive answers to those abnormal queries. Clients are using DNS to 137 perform queries for this name, but they are certainly not using DNS 138 to learn legitimate answers from the name's legitimate authoritative 139 server. Instead, the DNS protocol has, in effect, been co-opted as 140 an impromptu client-to-middlebox communication protocol, to 141 communicate with the NAT64/DNS64 [RFC6146] [RFC6147] gateway, if 142 present, and request that it disclose the prefix it is using for IPv6 143 address synthesis. 145 This use of specially-crafted DNS queries as an impromptu client-to- 146 middlebox communication protocol has a number of specific 147 consequences, outlined below, which client software needs to take 148 into account if the queries are to produce the desired results, 149 particularly when used on a multi-homed host, or when a VPN tunnel is 150 in use. The name 'ipv4only.arpa' is most definitely a special name, 151 and needs to be listed in IANA's registry along with other DNS names 152 that have special uses [SUDN]. 154 3. Consequences of 'ipv4only.arpa' not being declared special 156 As a result of the original specification [RFC7050] not formally 157 declaring 'ipv4only.arpa' to have special properties, there was no 158 clear mandate for DNS software to treat this name specially. In 159 particular, this lack of mandate for special treatment is relevant 160 (a) to the name resolution APIs and libraries on client devices, and 161 (b) to DNS64 [RFC6147] implementations. These two aspects are 162 discussed in more detail below. 164 3.1. Consequences for Name Resolution APIs and Libraries 166 A serious problem can occur with NAT64/DNS64 when a device is 167 configured to use a recursive resolver other than the one it learned 168 from the network. 170 Typically a device joining a NAT64 network will learn the recursive 171 resolver recommended for that network either via IPv6 Router 172 Advertisement Options for DNS Configuration [RFC8106] or via DNS 173 Configuration options for DHCPv6 [RFC3646]. On a NAT64 network it is 174 essential that the client use the DNS64 recursive resolver 175 recommended for that network, since only that recursive resolver can 176 be relied upon to know the appropriate prefix(es) to use for 177 synthesizing IPv6 addresses that will be acceptable to the NAT64 178 gateway. 180 However, it is becoming increasingly common for users to manually 181 override their default DNS configuration because they wish to use 182 some other public recursive resolver on the Internet, which may offer 183 better speed, better reliability, or better privacy than the local 184 network's default recursive resolver. At the time of writing, 185 examples of widely known public recursive resolver services include 186 1.1.1.1 [DNS1], 8.8.8.8 [DNS8], and 9.9.9.9 [DNS9]. 188 Another common scenario is the use of corporate VPN client software. 189 The local network's recursive resolver will typically be unable to 190 provide answers for the company's private internal host names, so VPN 191 client software overrides the local network's default configuration, 192 to divert some or all DNS requests to the company's own private 193 internal recursive resolver, reached through the VPN tunnel. As with 194 the case described above of public recursive resolver services, the 195 company's private internal recursive resolver cannot be expected to 196 be able to synthesize IPv6 addresses correctly for use with the local 197 network's NAT64 gateway, because the company's private internal 198 recursive resolver is unlikely to be aware of the NAT64 prefix in use 199 on the NAT64 network to which the client device is currently 200 attached. It is clear that a single recursive resolver cannot meet 201 both needs. The local network's recursive resolver cannot give 202 answers for some company's private internal host names, and some 203 company's private internal recursive resolver cannot give correctly 204 synthesized IPv6 addresses suitable for the local network's NAT64 205 gateway. 207 Note that multiple NAT64 services may be simultaneously available to 208 a client. For example, the local network may provide NAT64 service 209 (to allow a IPv6-only client device to access IPv4-only Internet 210 services), while at the same time the corporate VPN may also provide 211 NAT64 service (to allow a client connecting via an IPv6-only VPN 212 tunnel to access IPv4-only corporate services). The NAT64 address 213 synthesis prefixes for the two NAT64 services may be different. In 214 this case it is essential that the NAT64 address synthesis prefix 215 used on the local network be the prefix learned from the local 216 network's recursive resolver, and the NAT64 address synthesis prefix 217 used on the VPN tunnel be the prefix learned from the VPN tunnel's 218 recursive resolver. 220 The conflict here arises because DNS is being used for two unrelated 221 purposes. The first purpose is retrieving data from a (nominally) 222 global database -- generally retrieving the IP address(es) associated 223 with a hostname. The second purpose is using the DNS protocol as a 224 middlebox communication protocol, to interrogate the local network 225 infrastructure to discover the IPv6 prefix(es) in use by the local 226 NAT64 gateway for address synthesis. 228 3.2. Consequences for DNS64 Implementations 230 As a result of there being no mandate for special treatment, queries 231 for 'ipv4only.arpa' had to be handled normally, resulting in DNS64 232 gateways performing unnecessary IPv6 address record queries (DNS 233 qtype "AAAA", always returning negative responses) and IPv4 address 234 record queries (DNS qtype "A", always returning the same positive 235 responses) to the authoritative 'arpa' name servers. 237 Having DNS64 gateways around the world issue these queries generated 238 additional load on the authoritative 'arpa' name servers, which was 239 redundant when the name 'ipv4only.arpa' is defined, by IETF 240 specification [RFC7050], to have exactly two IPv4 address records, 241 192.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address 242 records. 244 Also, at times, for reasons that remain unclear, the authoritative 245 'arpa' name servers have been observed to be slow or unresponsive. 246 The failures of these 'ipv4only.arpa' queries result in unnecessary 247 failures of the DNS64 gateways and of the client devices that depend 248 on them for DNS64 [RFC6147] address synthesis. 250 Even when the authoritative 'arpa' name servers are operating 251 correctly, having to perform an unnecessary query to obtain an answer 252 that is already known in advance can add precious milliseconds of 253 delay, affecting user experience on the client devices waiting for 254 those synthesized replies. 256 4. Remedies 258 This document leverages operational experience to update the Domain 259 Name Reservation Considerations [RFC6761] section of the earlier 260 specification [RFC7050] with one that more accurately lists the 261 actual special properties of the name 'ipv4only.arpa', so that 262 software can legitimately implement the correct behavior necessary 263 for better performance, better reliability, and correct operation. 265 These changes affect two bodies of software, (a) the name resolution 266 APIs and libraries on client devices, and (b) DNS64 implementations. 268 The new special rules specified in this document for name resolution 269 APIs and libraries state how they should select which recursive 270 resolver to query to learn the IPv6 address synthesis prefix in use 271 on a particular physical or virtual interface. Specifically: When 272 querying for the name 'ipv4only.arpa', name resolution APIs and 273 libraries should use the recursive resolver recommended by the 274 network for the interface in question, rather than a recursive 275 resolver configured manually, a recursive resolver configured by VPN 276 software, or a full-service recursive resolver running on the local 277 host. 279 The new special rules specified in this document for DNS64 280 implementations recommend that they avoid performing run-time network 281 queries for values that are known to be fixed by specification. 283 A useful property of the way NAT64 Prefix Discovery [RFC7050] was 284 originally specified was that it allowed for incremental deployment. 285 Even if existing DNS64 gateways, that were unaware of the special 286 'ipv4only.arpa' name, were already deployed, once IANA created the 287 appropriate 'ipv4only.arpa' records, clients could begin to use the 288 new facility immediately. Clients could send their special queries 289 for 'ipv4only.arpa' to an ipv4only-unaware DNS64 gateway, and (after 290 a query to IANA's servers) the DNS64 gateway would then generate the 291 correct synthesized response. 293 While this was a useful transition strategy to enable rapid adoption, 294 it is not the ideal end situation. For better performance, better 295 reliability, and lower load in IANA's servers, it is preferable for 296 DNS64 gateways to be aware of the special 'ipv4only.arpa' name so 297 that they can avoid issuing unnecessary queries. Network operators 298 who wish to provide reliable, high performance service to their 299 customers are strongly motivated to prefer DNS64 gateways that 300 recognize the special 'ipv4only.arpa' name and apply the appropriate 301 optimizations. 303 5. Security Considerations 305 One of the known concerns with DNS64 is that it conflicts with 306 DNSSEC. If DNSSEC is used to assert cryptographically that a name 307 has no IPv6 AAAA records, then this interferes with using DNS64 308 address synthesis to assert that those nonexistent IPv6 AAAA records 309 do exist. 311 Section 3 of the DNS64 specification [RFC6147] discusses this: 313 ... DNS64 receives a query with the DO bit set and 314 the CD bit set. In this case, the DNS64 is supposed 315 to pass on all the data it gets to the query initiator. 316 This case will not work with DNS64, unless the 317 validating resolver is prepared to do DNS64 itself. 319 The NAT64 Prefix Discovery specification [RFC7050] provides the 320 mechanism for the query initiator to learn the NAT64 prefix so that 321 it can do its own validation and DNS64 synthesis as described above. 322 With this mechanism the client can (i) interrogate the local NAT64/ 323 DNS64 gateway with an 'ipv4only.arpa' query to learn the IPv6 address 324 synthesis prefix, (ii) query for the (signed) IPv4 address records 325 itself, and validate the response, and then (iii) perform its own 326 IPv6 address synthesis locally, combining the IPv6 address synthesis 327 prefix learned from the local NAT64/DNS64 gateway with the validated 328 DNSSEC-signed data learned from the global Domain Name System. 330 It is conceivable that over time, if DNSSEC adoption continues to 331 grow, the majority of clients could move to this validate-and- 332 synthesize-locally model, which reduces the DNS64 machinery to the 333 vestigial role of simply responding to the 'ipv4only.arpa' query to 334 report the local IPv6 address synthesis prefix. In no case does the 335 client care what answer(s) the authoritative 'arpa' name servers 336 might give for that query. The 'ipv4only.arpa' query is being used 337 purely as a local client-to-middlebox communication message. 339 This approach is even more attractive if it does not create an 340 additional dependency on the authoritative 'arpa' name servers to 341 answer a query that is unnecessary because the NAT64/DNS64 gateway 342 already knows the answer before it even issues the query. Avoiding 343 this unnecessary query improves performance and reliability for the 344 client, and reduces unnecessary load for the authoritative 'arpa' 345 name servers. 347 Hard-coding the known answers for 'ipv4only.arpa' IPv4 address record 348 queries (DNS qtype "A") in recursive resolvers also reduces the risk 349 of malicious devices intercepting those queries and returning 350 incorrect answers. Because the 'ipv4only.arpa' zone has to be an 351 insecure delegation (see below) DNSSEC cannot be used to protect 352 these answers from tampering by malicious devices on the path. 354 With respect to the question of whether 'ipv4only.arpa' should be a 355 secure or insecure delegation, we need to consider two paths of 356 information flow through the network: The path from the server 357 authoritative for 'ipv4only.arpa' to the DNS64 recursive resolver, 358 and the path from the DNS64 recursive resolver to the ultimate 359 client. 361 The path from the authoritative server to the DNS64 recursive 362 resolver (queries for IPv4 address records) need not be protected by 363 DNSSEC, because the DNS64 recursive resolver already knows, by 364 specification, what the answers are. In principle, if this were a 365 secure delegation, and 'ipv4only.arpa' were a signed zone, then the 366 path from the authoritative server to the DNS64 recursive resolver 367 would still work, but DNSSEC is not necessary here. Run-time 368 cryptographic signatures are not needed to verify compile-time 369 constants. 371 The path from the DNS64 recursive resolver to the ultimate client 372 (queries for IPv6 address records) *cannot* be protected by DNSSEC, 373 because the DNS64 recursive resolver is synthesizing IPv6 address 374 answers, and does not possess the secret key required to sign those 375 answers. 377 Consequently, the 'ipv4only.arpa' zone MUST be an insecure 378 delegation, to give NAT64/DNS64 gateways the freedom to synthesize 379 answers to those queries at will, without the answers being rejected 380 by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow 381 this specification MUST NOT attempt to validate answers received in 382 response to queries for the IPv6 AAAA address records for 383 'ipv4only.arpa'. 385 The original NAT64 Prefix Discovery specification [RFC7050] stated, 386 incorrectly: 388 A signed "ipv4only.arpa." allows validating DNS64 servers 389 (see [RFC6147] Section 3, Case 5, for example) to detect 390 malicious AAAA resource records. Therefore, the zone 391 serving the well-known name has to be protected with DNSSEC. 393 This document updates the previous specification [RFC7050] to correct 394 that error. The 'ipv4only.arpa' zone MUST be an insecure delegation. 396 6. IANA Considerations 398 [Once published] IANA has created an insecure delegation for 399 'ipv4only.arpa' to allow DNS64 recursive resolvers to create 400 synthesized AAAA answers within that zone. 402 IANA has recorded the following names in the 403 Special-Use Domain Names registry [SUDN]: 405 ipv4only.arpa. 406 170.0.0.192.in-addr.arpa. 407 171.0.0.192.in-addr.arpa. 409 IANA has recorded the following IPv4 addresses in the 410 IPv4 Special-Purpose Address Registry [SUv4]: 412 192.0.0.170 413 192.0.0.171 415 7. Domain Name Reservation Considerations 417 7.1. Special Use Domain Name 'ipv4only.arpa' 419 The name 'ipv4only.arpa' is defined, by IETF specification [RFC7050], 420 to have two IPv4 address records with rdata 192.0.0.170 and 421 192.0.0.171. 423 When queried via a DNS64 [RFC6147] recursive resolver, the name 424 'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata 425 synthesized from a combination of the NAT64 IPv6 prefix(es) and the 426 IPv4 addresses 192.0.0.170 and 192.0.0.171. This can return more 427 than one pair of IPv6 addresses if there are multiple NAT64 prefixes. 429 The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records. 430 There are no subdomains of 'ipv4only.arpa'. All names falling below 431 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN). 433 The name 'ipv4only.arpa' is special to 434 (a) client software wishing to perform DNS64 address synthesis, 435 (b) APIs responsible for retrieving the correct information, and 436 (c) the DNS64 recursive resolver responding to such requests. 437 These three considerations are listed in items 2, 3 and 4 below: 439 1. Normal users should never have reason to encounter the 440 'ipv4only.arpa' domain name. If they do, they should expect 441 queries for 'ipv4only.arpa' to result in the answers required by 442 the specification [RFC7050]. Normal users have no need to know 443 that 'ipv4only.arpa' is special. 445 2. Application software may explicitly use the name 'ipv4only.arpa' 446 for NAT64/DNS64 address synthesis, and expect to get the answers 447 required by the specification [RFC7050]. If application software 448 encounters the name 'ipv4only.arpa' in the normal course of 449 handling user input, the application software should resolve that 450 name as usual and need not treat it in any special way. 452 3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa' 453 as special and MUST give it special treatment. 455 Learning a network's NAT64 prefix is by its nature an interface- 456 specific operation, and the special DNS query used to learn this 457 interface-specific NAT64 prefix MUST be sent to the DNS recursive 458 resolver address(es) the client learned via the configuration 459 machinery for that specific client interface. One implication of 460 this is that, on any host with multiple physical interfaces 461 (e.g., cellular data and Wi-Fi) and/or multiple virtual 462 interfaces (e.g., VPN tunnels), for a client to learn the NAT64 463 prefix in use on a particular interface, the DNS name resolution 464 APIs used to look up the IPv6 addresses for 'ipv4only.arpa' MUST 465 include a parameter for the client to specify on which interface 466 to perform this query. The NAT64 prefix is a per-interface 467 property, not a per-device property. 469 Regardless of any manual client DNS configuration, DNS overrides 470 configured by VPN client software, or any other mechanisms that 471 influence the choice of the client's recursive resolver 472 address(es) (including client devices that run their own local 473 recursive resolver and use the loopback address as their 474 configured recursive resolver address) all queries for 475 'ipv4only.arpa' and any subdomains of that name MUST be sent to 476 the recursive resolver learned from the network interface in 477 question via IPv6 Router Advertisement Options for DNS 478 Configuration [RFC8106], DNS Configuration options for DHCPv6 479 [RFC3646], or other configuration mechanisms. Because DNS 480 queries for 'ipv4only.arpa' are actually a special middlebox 481 communication protocol, it is essential that they go to the 482 correct middlebox for the interface in question, and failure to 483 honor this requirement would cause failure of the NAT64 Prefix 484 Discovery mechanism [RFC7050]. 486 DNSSEC-capable resolvers MUST NOT attempt to validate answers 487 received in response to queries for the IPv6 AAAA address records 488 for 'ipv4only.arpa', since, by definition, any such answers are 489 generated by the local network's NAT64/DNS64 gateway, not the 490 authoritative server responsible for that name. 492 4. For the purposes of this section, recursive resolvers fall into 493 three categories. The first category is *forwarding* recursive 494 resolvers, as commonly implemented in residential home gateways. 495 The second category is *iterative* recursive resolvers, as 496 commonly deployed by ISPs. (More information on these terms can 497 be found in DNS Terminology [RFC8499].) The third category is 498 DNS64 recursive resolvers, whose purpose is to synthesize IPv6 499 address records. 501 Forwarding recursive resolvers SHOULD NOT recognize 502 'ipv4only.arpa' as special or give that name, or subdomains of 503 that name, any special treatment. The rationale for this is that 504 a forwarding recursive resolver, such as built in to a 505 residential home gateway, may itself be downstream of a DNS64 506 recursive resolver. Passing through the 'ipv4only.arpa' queries 507 to the upstream DNS64 recursive resolver will allow the correct 508 NAT64 prefix to be discovered. 510 Iterative recursive resolvers complying with this specification 511 MUST recognize 'ipv4only.arpa' as special, and MUST be configured 512 to behave for these names either: (a) like a forwarding recursive 513 resolver as described above (forwarding these queries to a 514 configured upstream resolver), or (b) like a DNS64 recursive 515 resolver as described below. 517 Since the authoritative name servers for 'ipv4only.arpa' cannot 518 be expected to know the local network's NAT64 address synthesis 519 prefix, all DNS64 recursive resolvers MUST recognize 520 'ipv4only.arpa' (and all of its subdomains) as special, and MUST 521 NOT attempt to look up NS records for 'ipv4only.arpa', or 522 otherwise query authoritative name servers in an attempt to 523 resolve this name. Instead, DNS64 recursive resolvers MUST act 524 as authoritative for this zone, by generating immediate responses 525 for all queries for 'ipv4only.arpa' (and any subdomain of 526 'ipv4only.arpa'), with the one exception of queries for the DS 527 record. Queries for the DS record are resolved the usual way to 528 allow a client to securely verify that the 'ipv4only.arpa' zone 529 has an insecure delegation. Note that exception is not expected 530 to received widespread usage, since any client compliant with 531 this specification already knows that 'ipv4only.arpa' is an 532 insecure delegation and will not attempt DNSSEC validation for 533 this name. 535 DNS64 recursive resolvers MUST generate the 192.0.0.170 and 536 192.0.0.171 responses for IPv4 address queries (DNS qtype "A"), 537 the appropriate synthesized IPv6 address record responses for 538 IPv6 address queries (DNS qtype "AAAA"), and a negative 539 ("no error no answer") response for all other query types. 541 For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers 542 MUST generate immediate NXDOMAIN responses. All names falling 543 below 'ipv4only.arpa' are defined to be nonexistent. 545 An example configuration for BIND 9 showing how to achieve the 546 desired result is given in Appendix A. 548 Note that this is *not* a locally served zone in the usual sense 549 of that term [RFC6303] because this rule applies *only* to DNS64 550 recursive resolvers, not to forwarding DNS recursive resolvers. 552 5. Authoritative name server software need not recognize 553 'ipv4only.arpa' as special or handle it in any special way. 555 6. Generally speaking, operators of authoritative name servers need 556 not know anything about the name 'ipv4only.arpa', just as they do 557 not need to know anything about any other names they are not 558 responsible for. Only the administrators of the 'arpa' namespace 559 need to be aware of this name's purpose and how it should be 560 configured. In particular, 'ipv4only.arpa' MUST have the 561 required records, and MUST be an insecure delegation, to allow 562 DNS64 recursive resolvers to create synthesized AAAA answers 563 within that zone. Making the 'ipv4only.arpa' zone a secure 564 delegation would make it impossible for DNS64 recursive resolvers 565 to create synthesized AAAA answers that won't fail DNSSEC 566 validation, thereby defeating the entire purpose of the 567 'ipv4only.arpa' name. 569 7. DNS Registries/Registrars need not know anything about the name 570 'ipv4only.arpa', just as they do not need to know anything about 571 any other name they are not responsible for. 573 7.2. Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa' 575 Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to 576 be special, and are listed in the IPv4 Special-Purpose Address 577 Registry [SUv4], the corresponding reverse mapping names in the 578 in-addr.arpa domain are similarly special. 580 The name '170.0.0.192.in-addr.arpa' is defined, by IETF specification 581 [RFC7050], to have only one DNS record, type PTR, with rdata 582 'ipv4only.arpa'. 584 The name '171.0.0.192.in-addr.arpa' is defined, by IETF specification 585 [RFC7050], to have only one DNS record, type PTR, with rdata 586 'ipv4only.arpa'. 588 There are no subdomains of '170.0.0.192.in-addr.arpa' or 589 '171.0.0.192.in-addr.arpa'. All names falling below these names are 590 defined to be nonexistent (NXDOMAIN). 592 Practically speaking these two names are rarely used, but to the 593 extent that they may be, they are special only to resolver APIs and 594 libraries, as described in item 3 below: 596 1. Normal users should never have reason to encounter these two 597 reverse mapping names. However, if they do, queries for these 598 reverse mapping names should return the expected answer 599 'ipv4only.arpa'. Normal users have no need to know that these 600 reverse mapping names are special. 602 2. Application software SHOULD NOT recognize these two reverse 603 mapping names as special, and SHOULD NOT treat them differently. 604 For example, if the user were to issue the Unix command 605 "host 192.0.0.170" then the "host" command should call the name 606 resolution API or library as usual and display the result that is 607 returned. 609 3. Name resolution APIs and libraries SHOULD recognize these two 610 reverse mapping names as special and generate the required 611 responses locally. For the names '170.0.0.192.in-addr.arpa' and 612 '171.0.0.192.in-addr.arpa' PTR queries yield the result 613 'ipv4only.arpa'; all other query types yield a negative 614 ("no error no answer") response. For all subdomains of these two 615 reverse mapping domains, all queries yield an NXDOMAIN response. 616 All names falling below these two reverse mapping domains are 617 defined to be nonexistent. 619 This local self-contained generation of these responses is to 620 avoid placing unnecessary load on the authoritative 621 'in-addr.arpa' name servers. 623 4. Recursive resolvers SHOULD NOT recognize these two reverse 624 mapping names as special and SHOULD NOT, by default, give them 625 any special treatment. 627 5. Authoritative name server software need not recognize these two 628 reverse mapping names as special or handle them in any special 629 way. 631 6. Generally speaking, most operators of authoritative name servers 632 need not know anything about these two reverse mapping names, 633 just as they do not need to know anything about any other names 634 they are not responsible for. Only the operators of the 635 authoritative name servers for these two reverse mapping names 636 need to be aware that these names are special, and require fixed 637 answers specified by IETF specification. 639 7. DNS Registries/Registrars need not know anything about these two 640 reverse mapping names, just as they do not need to know anything 641 about any other name they are not responsible for. 643 7.2.1. ip6.arpa Reverse Mapping PTR Records 645 For all IPv6 addresses synthesized by a DNS64 recursive resolver, the 646 DNS64 recursive resolver is responsible for synthesizing the 647 appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses 648 to provide reverse mapping PTR records. The same applies to the 649 synthesized IPv6 addresses corresponding to the IPv4 addresses 650 192.0.0.170 and 192.0.0.171. 652 Generally a DNS64 recursive resolver synthesizes appropriate 653 'ip6.arpa' reverse mapping PTR records by extracting the embedded 654 IPv4 address from the encoded IPv6 address, performing a reverse 655 mapping PTR query for that IPv4 address, and then synthesizing a 656 corresponding 'ip6.arpa' reverse mapping PTR record containing the 657 same rdata. 659 In the case of synthesized IPv6 addresses corresponding to the IPv4 660 addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver 661 does not issue reverse mapping queries for those IPv4 addresses, but 662 instead, according to rule 3 above, immediately returns the answer 663 'ipv4only.arpa'. 665 In the case of a client that uses the 'ipv4only.arpa' query to 666 discover the IPv6 prefixes in use by the local NAT64 gateway, and 667 then proceeds to perform its own address synthesis locally (which has 668 benefits such as allowing DNSSEC validation), that client MUST also 669 synthesize 'ip6.arpa' reverse mapping PTR records for those 670 discovered prefix(es), according to the rules above: When a client's 671 name resolution APIs and libraries receive a request to look up an 672 'ip6.arpa' reverse mapping PTR record for an address that falls 673 within one of the discovered NAT64 address synthesis prefixes, the 674 software extracts the embedded IPv4 address and then, for IPv4 675 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer 676 'ipv4only.arpa', and for all other IPv4 addresses performs a reverse 677 mapping PTR query for the IPv4 address, and then synthesizes a 678 corresponding 'ip6.arpa' reverse mapping PTR record containing the 679 same rdata. 681 8. Acknowledgements 683 Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for 684 devising the NAT64 Prefix Discovery mechanism [RFC7050], and for 685 their feedback on this document. 687 Thanks to Geoff Huston for his feedback on this document. 689 Thanks to Erik Kline for pointing out that the in-addr.arpa names are 690 special too. 692 Thanks to Mark Andrews for pointing out the reasons why the 693 'ipv4only.arpa' zone MUST be an insecure delegation in order for the 694 NAT64 Prefix Discovery mechanism [RFC7050] to work, and many other 695 very helpful comments. 697 Thanks particularly to Lorenzo Colitti for an especially spirited 698 hallway discussion at IETF 96 in Berlin, which lead directly to 699 significant improvements in how this document presents the issues. 701 Thanks to Dave Thaler and Warren Kumari for generously helping 702 shepherd this document through the publication process. 704 9. References 706 9.1. Normative References 708 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 709 Requirement Levels", BCP 14, RFC 2119, 710 DOI 10.17487/RFC2119, March 1997, 711 . 713 [RFC3646] Droms, R., Ed., "DNS Configuration options for Dynamic 714 Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, 715 DOI 10.17487/RFC3646, December 2003, 716 . 718 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 719 NAT64: Network Address and Protocol Translation from IPv6 720 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 721 April 2011, . 723 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 724 Beijnum, "DNS64: DNS Extensions for Network Address 725 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 726 DOI 10.17487/RFC6147, April 2011, 727 . 729 [RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names", 730 RFC 6761, DOI 10.17487/RFC6761, February 2013, 731 . 733 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 734 the IPv6 Prefix Used for IPv6 Address Synthesis", 735 RFC 7050, DOI 10.17487/RFC7050, November 2013, 736 . 738 [RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 739 "IPv6 Router Advertisement Options for DNS Configuration", 740 RFC 8106, DOI 10.17487/RFC8106, March 2017, 741 . 743 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 744 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 745 May 2017, . 747 9.2. Informative References 749 [RFC6303] Andrews, M., "Locally Served DNS Zones", BCP 163, 750 RFC 6303, DOI 10.17487/RFC6303, July 2011, 751 . 753 [RFC8244] Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain 754 Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244, 755 October 2017, . 757 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 758 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 759 January 2019, . 761 [SUDN] "Special-Use Domain Names Registry", 762 . 765 [SUv4] "IANA IPv4 Special-Purpose Address Registry", 766 . 769 [DNS1] "1.1.1.1 - The free app that makes your Internet safer", 770 . 772 [DNS8] "Google Public DNS", 773 . 775 [DNS9] "Quad9 - Internet Security and Privacy In a Few Easy 776 Steps", . 778 Appendix A. Example BIND 9 Configuration 780 A BIND 9 recursive resolver can be configured to act as authoritative 781 for the necessary DNS64 names as described below. 783 In /etc/named.conf the following line is added: 785 zone "ipv4only.arpa" { type master; file "ipv4only"; }; 787 The file /var/named/ipv4only is created with the following content: 789 $TTL 86400 ; Default TTL 24 hours 790 @ IN SOA nameserver.example. admin.nameserver.example. ( 791 2016052400 ; Serial 792 7200 ; Refresh ( 7200 = 2 hours) 793 3600 ; Retry ( 3600 = 1 hour) 794 15724800 ; Expire (15724800 = 6 months) 795 60 ; Minimum 796 ) 797 @ IN NS nameserver.example. 799 @ IN A 192.0.0.170 800 @ IN A 192.0.0.171 801 @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix 802 @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here 804 Authors' Addresses 806 Stuart Cheshire 807 Apple Inc. 808 One Apple Park Way 809 Cupertino, California 95014 810 USA 812 Phone: +1 (408) 996-1010 813 Email: cheshire@apple.com 815 David Schinazi 816 Google LLC 817 1600 Amphitheatre Parkway 818 Mountain View, California 94043 819 USA 821 Email: dschinazi.ietf@gmail.com