Difference between revisions of "RFC8880"

Latest revision as of 11:25, 30 October 2020

Internet Engineering Task Force (IETF) S. Cheshire Request for Comments: 8880 Apple Inc. Updates: 7050 D. Schinazi Category: Standards Track Google LLC ISSN: 2070-1721 August 2020

            Special Use Domain Name 'ipv4only.arpa'

Abstract

NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.

The specification for how a client discovers its local network's NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' for this purpose. However, in its Domain Name Reservation Considerations section (Section 8.1), that specification (RFC 7050) indicates that the name actually has no particularly special properties that would require special handling.

Consequently, despite the well-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry as a name with special properties.

This document updates RFC 7050. It describes the special treatment required and formally declares the special properties of the name. It also adds similar declarations for the corresponding reverse mapping names.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8880.

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction

 1.1.  Conventions and Terminology

2. Reasons to Declare 'ipv4only.arpa' as Special 3. Consequences of 'ipv4only.arpa' Not Being Declared Special

 3.1.  Consequences for Name Resolution APIs and Libraries
 3.2.  Consequences for DNS64 Implementations

4. Remedies 5. Security Considerations 6. IANA Considerations 7. Domain Name Reservation Considerations

 7.1.  Special Use Domain Name 'ipv4only.arpa'
 7.2.  Names '170.0.0.192.in-addr.arpa' and
       '171.0.0.192.in-addr.arpa'
   7.2.1.  ip6.arpa Reverse Mapping PTR Records

8. References

 8.1.  Normative References
 8.2.  Informative References

Appendix A. Example BIND 9 Configuration Acknowledgements Authors' Addresses

1 Introduction
- 1.1 Conventions and Terminology
2 Reasons to Declare 'ipv4only.arpa' as Special
3 Consequences of 'ipv4only.arpa' Not Being Declared Special
- 3.1 Consequences for Name Resolution APIs and Libraries
- 3.2 Consequences for DNS64 Implementations
4 Remedies
5 Security Considerations
6 IANA Considerations
7 Domain Name Reservation Considerations
- 7.1 Special Use Domain Name 'ipv4only.arpa'
- 7.2 Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa'
  - 7.2.1 ip6.arpa Reverse Mapping PTR Records
8 References
- 8.1 Normative References
- 8.2 Informative References

Introduction

NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) RFC6146 allows client devices using IPv6 to communicate with servers that have only IPv4 connectivity.

DNS64 (DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers) RFC6147 facilitates use of NAT64 by clients by generating synthesized IPv6 addresses for IPv4 servers that have no IPv6 address of their own, or by communicating the local network's NAT64 prefix to clients so that they can perform the IPv6 address synthesis themselves.

The specification for how a client discovers its local network's NAT64 prefix RFC7050 defines the special name 'ipv4only.arpa' for this purpose, but in its Domain Name Reservation Considerations section (Section 8.1), that specification RFC7050 indicates that the name actually has no particularly special properties that would require special handling and does not request IANA to record the name in the Special-Use Domain Names registry [SUDN].

Consequently, despite the well-articulated special purpose of the name, 'ipv4only.arpa' was not recorded in the Special-Use Domain Names registry [SUDN] as a name with special properties.

This omission was discussed in the document "Special-Use Domain Names Problem Statement" RFC8244.

As a result of this omission, in cases where software needs to give this name special treatment in order for it to work correctly, there was no clear mandate authorizing software authors to implement that special treatment. Software implementers were left with the choice between not implementing the special behavior necessary for the name queries to work correctly or implementing the special behavior and being accused of being noncompliant with IETF DNS specifications.

This document describes the special treatment required, formally declares the special properties of the name, and adds similar declarations for the corresponding reverse mapping names.

Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 RFC8174 when, and only when, they appear in all capitals, as shown here.

Reasons to Declare 'ipv4only.arpa' as Special

The hostname 'ipv4only.arpa' is peculiar in that it was never intended to be treated like a normal hostname.

A typical client never has any reason to look up the IPv4 address records for 'ipv4only.arpa': no normal user is ever trying to view a website hosted at that domain name or trying to send email to an email address at that domain name. The name 'ipv4only.arpa' is already known, by IETF specification RFC7050, to have exactly two IPv4 address records: 192.0.0.170 and 192.0.0.171. No client ever has to look up the name in order to learn those two addresses.

In contrast, clients often look up the IPv6 AAAA address records for 'ipv4only.arpa', which is contrary to general DNS expectations, given that it is already known, by IETF specification RFC7050, that 'ipv4only.arpa' is an IPv4-only name, and it has no IPv6 AAAA address records. And yet, clients expect to receive, and do in fact receive, positive answers for these IPv6 AAAA address records that apparently should not exist.

This odd query behavior comes not because clients are using DNS to learn legitimate answers from the name's legitimate authoritative server, but because the DNS protocol has, in effect, been co-opted as an improvised client-to-middlebox communication protocol to look for a DNS64/NAT64 RFC6147 RFC6146 gateway and, if one is present, to request that it disclose the prefix it is using for IPv6 address synthesis.

This use of specially crafted DNS queries as an improvised client-to- middlebox communication protocol has a number of specific consequences, outlined below, which client software needs to take into account if the queries are to produce the desired results. This is particularly true when used on a multihomed host or when a VPN tunnel is in use. The name 'ipv4only.arpa' is most definitely a special name and needs to be listed in IANA's registry along with other DNS names that have special uses [SUDN].

Consequences of 'ipv4only.arpa' Not Being Declared Special

As a result of the original specification RFC7050 not formally declaring 'ipv4only.arpa' to have special properties, there was no clear mandate for DNS software to treat this name specially. In particular, this lack of mandate for special treatment is relevant (a) to the name resolution APIs and libraries on client devices and (b) to DNS64 RFC6147 implementations. These two aspects are discussed in more detail below.

Consequences for Name Resolution APIs and Libraries

A serious problem can occur with DNS64/NAT64 when a device is configured to use a recursive resolver other than the one it learned from the network.

A device joining a NAT64 network will learn the recursive resolver recommended for that network, typically via IPv6 Router Advertisement Options RFC8106 or via DHCPv6 RFC3646. On a NAT64 network, it is essential that the client use the DNS64 recursive resolver recommended for that network, since only that recursive resolver can be relied upon to know the appropriate prefix(es) to use for synthesizing IPv6 addresses that will be acceptable to that NAT64 gateway.

However, it is becoming increasingly common for users to manually override their default DNS configuration because they wish to use some other public recursive resolver on the Internet, which may offer better speed, reliability, or privacy than the local network's default recursive resolver. At the time of writing, examples of widely known public recursive resolver services include Cloudflare Public DNS [DNS1], Google Public DNS [DNS8], and Quad9 [DNS9].

Another common scenario is the use of corporate or personal VPN client software. Both for privacy reasons and because the local network's recursive resolver will typically be unable to provide answers for the company's private internal host names, VPN client software usually overrides the local network's default configuration to divert some or all DNS requests so that they go to the company's own private internal recursive resolver instead of to the default recursive resolver the client learned from its local network. (The company's own private internal recursive resolvers typically have addresses that are themselves reached through the VPN tunnel, not via the public Internet.) As with the case described above of public recursive resolver services, the company's private internal recursive resolver cannot be expected to be able to synthesize IPv6 addresses correctly for use with the local network's NAT64 gateway, because the company's private internal recursive resolver is unlikely to be aware of the NAT64 prefix in use on the NAT64 network to which the client device is currently attached. It is clear that a single recursive resolver cannot meet both needs. The local network's recursive resolver cannot be expected to give answers for some unknown company's private internal host names, and a company's private internal recursive resolver cannot be expected to give correctly synthesized IPv6 addresses suitable for some unknown local network's NAT64 gateway.

Note that multiple NAT64 services may be simultaneously available to a client. For example, the local network may provide NAT64 service (to allow an IPv6-only client device to access IPv4-only Internet services), while at the same time, a corporate VPN may also provide NAT64 service (to allow a client connecting via an IPv6-only VPN tunnel to access IPv4-only corporate services). The NAT64 address synthesis prefixes for the two NAT64 services may be different. In this case, it is essential that the NAT64 address synthesis prefix used on the local network be the prefix learned from the local network's recursive resolver, and the NAT64 address synthesis prefix used on the VPN tunnel be the prefix learned from the VPN tunnel's recursive resolver.

The difficulty here arises because DNS is being used for two unrelated purposes. The first purpose is retrieving data from a (nominally) global database, generally retrieving the IP address(es) associated with a hostname. The second purpose is using the DNS protocol as a middlebox communication protocol, to interrogate the local network infrastructure to discover the IPv6 prefix(es) in use by the local NAT64 gateway for address synthesis.

Consequences for DNS64 Implementations

As a result of there being no mandate for special treatment, queries for 'ipv4only.arpa' had to be handled normally, resulting in DNS64 gateways performing unnecessary queries to the authoritative 'arpa' name servers, both unnecessary IPv6 address record queries (DNS qtype "AAAA", always returning negative responses) and unnecessary IPv4 address record queries (DNS qtype "A", always returning the same positive responses).

Having DNS64 gateways around the world issue these queries generated additional load on the authoritative 'arpa' name servers, which was redundant when the name 'ipv4only.arpa' is defined, by IETF specification RFC7050, to have exactly two IPv4 address records, 192.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address records.

Also, at times, for reasons that remain unclear, the authoritative 'arpa' name servers have been observed to be slow or unresponsive. The failures of these 'ipv4only.arpa' queries result in unnecessary failures of the DNS64 gateways and of the client devices that depend on them for DNS64 RFC6147 address synthesis.

Even when the authoritative 'arpa' name servers are operating correctly, having to perform an unnecessary query to obtain an answer that is already known in advance can add precious milliseconds of delay, affecting user experience on the client devices waiting for those synthesized replies.

Remedies

This document leverages operational experience to update the Domain Name Reservation Considerations section RFC6761 of the earlier prefix discovery specification RFC7050 with one that more accurately lists the actual special properties of the name 'ipv4only.arpa', so that software can legitimately implement the correct behavior necessary for better performance, better reliability, and correct operation.

These changes affect two bodies of software: (a) the name resolution APIs and libraries on client devices, and (b) DNS64 implementations.

The new special rules specified in this document for name resolution APIs and libraries state how they should select which recursive resolver to query to learn the IPv6 address synthesis prefix in use on a particular physical or virtual interface. Specifically, when querying for the name 'ipv4only.arpa', name resolution APIs and libraries should use the recursive resolver recommended by the network for the interface in question rather than a recursive resolver configured manually, a recursive resolver configured by VPN software, or a full-service recursive resolver running on the local host. Superficially, this might seem like a security issue, since the user might have explicitly configured the particular DNS resolver they wish to use, and rather than using that, the name resolution code ignores the user's stated preference and uses untrusted input received from the network instead. However, the 'ipv4only.arpa' query is not really a DNS query in the usual sense; even though it may look like a DNS query, it is actually an improvised client-to- middlebox communication protocol in disguise. For NAT64 to work at all, it is necessary for the interface on which NAT64 translation is being performed to tell the host the address of the DNS64 recursive resolver the host must use to learn the NAT64 prefix being used by that NAT64. This is typically done via IPv6 Router Advertisement Options for DNS Configuration RFC8106 or via DNS Configuration options for DHCPv6 RFC3646.

The new special rules specified in this document for DNS64 implementations recommend that they avoid performing run-time network queries for values that are known to be fixed by specification.

A useful property of the way NAT64 Prefix Discovery RFC7050 was originally specified was that it allowed for incremental deployment. Even if existing DNS64 gateways, that were unaware of the special 'ipv4only.arpa' name, were already deployed, once IANA created the appropriate 'ipv4only.arpa' records, clients could begin to use the new facility immediately. Clients could send their special queries for 'ipv4only.arpa' to an ipv4only-unaware DNS64 gateway, and, as a side effect of its usual query processing (after a query to IANA's servers), the DNS64 gateway would then generate the correct synthesized response.

While this was a useful transition strategy to enable rapid adoption, it is not the ideal end situation. For better performance, better reliability, and lower load in IANA's servers, it is preferable for DNS64 gateways to be aware of the special 'ipv4only.arpa' name so that they can avoid issuing unnecessary queries. Network operators who wish to provide reliable, high-performance service to their customers are motivated to prefer DNS64 gateways that recognize the special 'ipv4only.arpa' name and apply the appropriate optimizations.

Security Considerations

One of the known concerns with DNS64 is that it conflicts with DNSSEC. If DNSSEC is used to assert cryptographically that a name has no IPv6 AAAA records, then this interferes with using DNS64 address synthesis to tell a client that those nonexistent IPv6 AAAA records do exist.

Section 3 of the DNS64 specification RFC6147 discusses this:

| ... DNS64 receives a query with the DO bit set and the CD bit set. | In this case, the DNS64 is supposed to pass on all the data it | gets to the query initiator. This case will not work with DNS64, | unless the validating resolver is prepared to do DNS64 itself.

The NAT64 Prefix Discovery specification RFC7050 provides the mechanism for the query initiator to learn the NAT64 prefix so that it can do its own validation and DNS64 synthesis as described above. With this mechanism, the client can (i) interrogate the local DNS64/ NAT64 gateway (with an 'ipv4only.arpa' query) to learn the IPv6 address synthesis prefix, (ii) query for the (signed) IPv4 address records for the desired hostname and validate the response, and then (iii) perform its own IPv6 address synthesis locally, combining the IPv6 address synthesis prefix learned from the local DNS64/NAT64 gateway with the validated DNSSEC-signed data learned from the global Domain Name System.

It is conceivable that, over time, if DNSSEC adoption continues to grow, the majority of clients could move to this validate-and- synthesize-locally model, which reduces the DNS64 machinery to the vestigial role of simply responding to the 'ipv4only.arpa' query to report the local IPv6 address synthesis prefix. At the time of publication, network operators have been observed "in the wild" deploying NAT64 service with DNS recursive resolvers that reply to 'ipv4only.arpa' queries but otherwise perform no other NAT64 address synthesis. In no case does the client care what answer(s) the authoritative 'arpa' name servers might give for that query. The 'ipv4only.arpa' query is being used purely as a local client-to- middlebox communication message.

This validate-and-synthesize-locally approach is even more attractive if it does not create an additional dependency on the authoritative 'arpa' name servers to answer a query that is unnecessary because the DNS64/NAT64 gateway already knows the answer before it even issues the query. Avoiding this unnecessary query improves performance and reliability for the client and reduces unnecessary load for the authoritative 'arpa' name servers.

Hardcoding the known answers for 'ipv4only.arpa' IPv4 address record queries (DNS qtype "A") in recursive resolvers also reduces the risk of malicious devices intercepting those queries and returning incorrect answers. Because the 'ipv4only.arpa' zone has to be an insecure delegation (see below), DNSSEC cannot be used to protect these answers from tampering by malicious devices on the path.

With respect to the question of whether 'ipv4only.arpa' should be a secure or insecure delegation, we need to consider two paths of information flow through the network:

1. The path from the server authoritative for 'ipv4only.arpa' to the

   DNS64 recursive resolver

2. The path from the DNS64 recursive resolver to the ultimate client

The path from the authoritative server to the DNS64 recursive resolver (queries for IPv4 address records) need not be protected by DNSSEC, because the DNS64 recursive resolver already knows, by specification, what the answers are. In principle, if this were a secure delegation, and 'ipv4only.arpa' were a signed zone, then the path from the authoritative server to the DNS64 recursive resolver would still work, but DNSSEC is not necessary here. Run-time cryptographic signatures are not needed to verify compile-time constants. Validating the signatures could only serve to introduce potential failures into the system for minimal benefit.

The path from the DNS64 recursive resolver to the ultimate client (queries for IPv6 address records) *cannot* be protected by DNSSEC because the DNS64 recursive resolver is synthesizing IPv6 address answers and does not possess the DNSSEC secret key required to sign those answers.

Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to give DNS64/NAT64 gateways the freedom to synthesize answers to those queries at will, without the answers being rejected by DNSSEC- capable resolvers. DNSSEC-capable resolvers that follow this specification MUST NOT attempt to validate answers received in response to queries for the IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name 'ipv4only.arpa' has no use outside of being used for this special DNS pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC security for that name is not a problem.

The original NAT64 Prefix Discovery specification RFC7050 stated, incorrectly:

| A signed "ipv4only.arpa." allows validating DNS64 servers (see | RFC6147 Section 3, Case 5, for example) to detect malicious AAAA | resource records. Therefore, the zone serving the well-known name | has to be protected with DNSSEC.

This document updates the previous specification RFC7050 to correct that error. The 'ipv4only.arpa' zone MUST be an insecure delegation.

IANA Considerations

IANA has created an insecure delegation for 'ipv4only.arpa' to allow DNS64 recursive resolvers to create synthesized AAAA answers within that zone.

IANA has recorded the following names in the Special-Use Domain Names registry [SUDN]:

  ipv4only.arpa.
  170.0.0.192.in-addr.arpa.
  171.0.0.192.in-addr.arpa.

IANA has recorded the following IPv4 addresses in the IANA IPv4 Special-Purpose Address Registry [SUv4]:

  192.0.0.170
  192.0.0.171

Domain Name Reservation Considerations

Special Use Domain Name 'ipv4only.arpa'

The name 'ipv4only.arpa' is defined, by IETF specification RFC7050, to have two IPv4 address records with rdata 192.0.0.170 and 192.0.0.171.

When queried via a DNS64 recursive resolver RFC6147, the name 'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata synthesized from a combination of the NAT64 IPv6 prefix(es) and the IPv4 addresses 192.0.0.170 and 192.0.0.171. This can return more than one pair of IPv6 addresses if there are multiple NAT64 prefixes.

The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records. There are no subdomains of 'ipv4only.arpa'. All names falling below 'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).

The name 'ipv4only.arpa' is special to

a. client software wishing to perform DNS64 address synthesis,

b. APIs responsible for retrieving the correct information, and

c. the DNS64 recursive resolver responding to such requests.

These three considerations are listed in items 2, 3, and 4 below:

1. Normal users should never have reason to encounter the

   'ipv4only.arpa' domain name.  If they do, they should expect
   queries for 'ipv4only.arpa' to result in the answers required by
   the specification RFC7050.  Normal users have no need to know
   that 'ipv4only.arpa' is special.

2. Application software may explicitly use the name 'ipv4only.arpa'

   for DNS64/NAT64 address synthesis and expect to get the answers
   required by the specification RFC7050.  If application software
   encounters the name 'ipv4only.arpa' in the normal course of
   handling user input, the application software should resolve that
   name as usual and need not treat it in any special way.

3. Name resolution APIs and libraries MUST recognize 'ipv4only.arpa'

   as special and MUST give it special treatment.

   Learning a network's NAT64 prefix is, by its nature, an
   interface-specific operation, and the special DNS query used to
   learn this interface-specific NAT64 prefix MUST be sent to the
   DNS recursive resolver address(es) the client learned via the
   configuration machinery for that specific client interface.  The
   NAT64 prefix is a per-interface property, not a per-device
   property.

   Regardless of any manual client DNS configuration, DNS overrides
   configured by VPN client software, or any other mechanisms that
   influence the choice of the client's recursive resolver
   address(es) (including client devices that run their own local
   recursive resolver and use the loopback address as their
   configured recursive resolver address), all queries for
   'ipv4only.arpa' and any subdomains of that name MUST be sent to
   the recursive resolver learned from the network interface in
   question via IPv6 Router Advertisement Options for DNS
   Configuration RFC8106, DNS Configuration options for DHCPv6
   RFC3646, or other configuration mechanisms.  Because DNS
   queries for 'ipv4only.arpa' are actually a special middlebox
   communication protocol, it is essential that they go to the
   correct middlebox for the interface in question, and failure to
   honor this requirement would cause failure of the NAT64 Prefix
   Discovery mechanism RFC7050.

   One implication of this is that, on multihomed devices (devices
   that allow more than one logical or physical IP interface to be
   active at the same time, e.g., cellular data and Wi-Fi, or one
   physical interface plus a VPN connection), clients MUST use
   interface-aware name resolution APIs.  On different (logical or
   physical) interfaces, different DNS64 answers may be received,
   and DNS64 answers are only valid for the interface on which they
   were received.  On multihomed devices (including devices that
   support VPN), name resolution APIs that do not include interface
   parameters will not work reliably with NAT64.  On single-homed
   devices, interface-unaware name resolution APIs are acceptable
   since when only one interface can be active at a time, there is
   no need to specify an interface.

   DNSSEC-capable resolvers MUST NOT attempt to validate answers
   received in response to queries for the IPv6 AAAA address records
   for 'ipv4only.arpa' since, by definition, any such answers are
   generated by the local network's DNS64/NAT64 gateway, not the
   authoritative server responsible for that name.

4. For the purposes of this section, recursive resolvers fall into

   two categories.  The first category is traditional recursive
   resolvers, which includes *forwarding* recursive resolvers, as
   commonly implemented in residential home gateways, and
   *iterative* recursive resolvers, as commonly deployed by ISPs.
   The second category is DNS64 recursive resolvers, whose purpose
   is to synthesize IPv6 address records.  These may be *forwarding*
   DNS64 recursive resolvers or *iterative* DNS64 recursive
   resolvers, and they work in partnership with a companion NAT64
   gateway to communicate the appropriate NAT64 address synthesis
   prefix to clients.  More information on these terms can be found
   in the DNS Terminology document RFC8499.

   Traditional forwarding recursive resolvers SHOULD NOT recognize
   'ipv4only.arpa' as special or give that name, or subdomains of
   that name, any special treatment.  The rationale for this is that
   a traditional forwarding recursive resolver, such as built in to
   a residential home gateway, may itself be downstream of a DNS64
   recursive resolver.  Passing through the 'ipv4only.arpa' queries
   to the upstream DNS64 recursive resolver will allow the correct
   NAT64 prefix to be discovered.

   Traditional iterative recursive resolvers that are not explicitly
   configured to synthesize IPv6 prefixes on behalf of a companion
   NAT64 gateway need not recognize 'ipv4only.arpa' as special or
   take any special action.

   Forwarding or iterative recursive resolvers that have been
   explicitly configured to perform DNS64 address synthesis in
   support of a companion NAT64 gateway (i.e., "DNS64 recursive
   resolvers") MUST recognize 'ipv4only.arpa' as special.  The
   authoritative name servers for 'ipv4only.arpa' cannot be expected
   to know the local network's NAT64 address synthesis prefix, so
   consulting the authoritative name servers for IPv6 address
   records for 'ipv4only.arpa' is futile.  All DNS64 recursive
   resolvers MUST recognize 'ipv4only.arpa' (and all of its
   subdomains) as special, and they MUST NOT attempt to look up NS
   records for 'ipv4only.arpa' or otherwise query authoritative name
   servers in an attempt to resolve this name.  Instead, DNS64
   recursive resolvers MUST act as authoritative for this zone, by
   generating immediate responses for all queries for
   'ipv4only.arpa' (and any subdomain of 'ipv4only.arpa'), with the
   one exception of queries for the DS record.  Queries for the DS
   record are resolved the usual way to allow a client to securely
   verify that the 'ipv4only.arpa' zone has an insecure delegation.
   Note that this exception is not expected to receive widespread
   usage, since any client compliant with this specification already
   knows that 'ipv4only.arpa' is an insecure delegation and will not
   attempt DNSSEC validation for this name.

   DNS64 recursive resolvers MUST generate the 192.0.0.170 and
   192.0.0.171 responses for IPv4 address queries (DNS qtype "A"),
   the appropriate synthesized IPv6 address record responses for
   IPv6 address queries (DNS qtype "AAAA"), and a negative
   ("no error no answer") response for all other query types except
   DS.

   For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers
   MUST generate immediate NXDOMAIN responses.  All names falling
   below 'ipv4only.arpa' are defined to be nonexistent.

   An example configuration for BIND 9 showing how to achieve the
   desired result is given in Appendix A.

   Note that this is *not* a locally served zone in the usual sense
   of that term RFC6303 because this rule applies *only* to DNS64
   recursive resolvers, not to traditional forwarding or iterative
   recursive resolvers.

5. Authoritative name server software need not recognize

   'ipv4only.arpa' as special or handle it in any special way.

6. Generally speaking, operators of authoritative name servers need

   not know anything about the name 'ipv4only.arpa', just as they do
   not need to know anything about any other names they are not
   responsible for.  Only the administrators of the 'arpa' namespace
   need to be aware of this name's purpose and how it should be
   configured.  In particular, 'ipv4only.arpa' MUST have the
   required records, and MUST be an insecure delegation, to allow
   DNS64 recursive resolvers to create synthesized AAAA answers
   within that zone.  Making the 'ipv4only.arpa' zone a secure
   delegation would make it impossible for DNS64 recursive resolvers
   to create synthesized AAAA answers that will be accepted by
   DNSSEC validating clients, thereby defeating the entire purpose
   of the 'ipv4only.arpa' name.

7. DNS Registries/Registrars need not know anything about the name

   'ipv4only.arpa', just as they do not need to know anything about
   any other name they are not responsible for.

Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa'

Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to be special, and are listed in the IANA IPv4 Special-Purpose Address Registry [SUv4], the corresponding reverse mapping names in the in-addr.arpa domain are similarly special.

The name '170.0.0.192.in-addr.arpa' is defined, by IETF specification RFC7050, to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.

The name '171.0.0.192.in-addr.arpa' is defined, by IETF specification RFC7050, to have only one DNS record, type PTR, with rdata 'ipv4only.arpa'.

There are no subdomains of '170.0.0.192.in-addr.arpa' or '171.0.0.192.in-addr.arpa'. All names falling below these names are defined to be nonexistent (NXDOMAIN).

Practically speaking, these two names are rarely used, but to the extent that they may be, they are special only to resolver APIs and libraries, as described in item 3 below:

1. Normal users should never have reason to encounter these two

   reverse mapping names.  However, if they do, queries for these
   reverse mapping names should return the expected answer
   'ipv4only.arpa'.  Normal users have no need to know that these
   reverse mapping names are special.

2. Application software SHOULD NOT recognize these two reverse

   mapping names as special and SHOULD NOT treat them differently.
   For example, if the user were to issue the Unix command
   "host 192.0.0.170", then the "host" command should call the name
   resolution API or library as usual and display the result that is
   returned.

3. Name resolution APIs and libraries SHOULD recognize these two

   reverse mapping names as special and generate the required
   responses locally.  For the names '170.0.0.192.in-addr.arpa' and
   '171.0.0.192.in-addr.arpa', PTR queries yield the result
   'ipv4only.arpa'; all other query types yield a negative
   ("no error no answer") response.  For all subdomains of these two
   reverse mapping domains, all queries yield an NXDOMAIN response.
   All names falling below these two reverse mapping domains are
   defined to be nonexistent.

   This local self-contained generation of these responses is to
   avoid placing unnecessary load on the authoritative
   'in-addr.arpa' name servers.

4. Recursive resolvers SHOULD NOT recognize these two reverse

   mapping names as special and SHOULD NOT, by default, give them
   any special treatment.

5. Authoritative name server software need not recognize these two

   reverse mapping names as special or handle them in any special
   way.

6. Generally speaking, most operators of authoritative name servers

   need not know anything about these two reverse mapping names,
   just as they do not need to know anything about any other names
   they are not responsible for.  Only the operators of the
   authoritative name servers for these two reverse mapping names
   need to be aware that these names are special, and require fixed
   answers specified by IETF specification.

7. DNS Registries/Registrars need not know anything about these two

   reverse mapping names, just as they do not need to know anything
   about any other name they are not responsible for.

ip6.arpa Reverse Mapping PTR Records

For all IPv6 addresses synthesized by a DNS64 recursive resolver, the DNS64 recursive resolver is responsible for synthesizing the appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses to provide reverse mapping PTR records. The same applies to the synthesized IPv6 addresses corresponding to the IPv4 addresses 192.0.0.170 and 192.0.0.171.

Generally, a DNS64 recursive resolver synthesizes appropriate 'ip6.arpa' reverse mapping PTR records by extracting the embedded IPv4 address from the encoded IPv6 address, performing a reverse mapping PTR query for that IPv4 address, and then synthesizing a corresponding 'ip6.arpa' reverse mapping PTR record containing the same rdata.

In the case of synthesized IPv6 addresses corresponding to the IPv4 addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver does not issue reverse mapping queries for those IPv4 addresses, but instead, according to rule 3 above, immediately returns the answer 'ipv4only.arpa'.

In the case of a client that uses the 'ipv4only.arpa' query to discover the IPv6 prefixes in use by the local NAT64 gateway, and then proceeds to perform its own address synthesis locally (which has benefits such as allowing DNSSEC validation), that client MUST also synthesize 'ip6.arpa' reverse mapping PTR records for those discovered prefix(es), according to the rules above: When a client's name resolution APIs and libraries receive a request to look up an 'ip6.arpa' reverse mapping PTR record for an address that falls within one of the discovered NAT64 address synthesis prefixes, the software extracts the embedded IPv4 address and then, for IPv4 addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer 'ipv4only.arpa', and for all other IPv4 addresses, performs a reverse mapping PTR query for the IPv4 address and then synthesizes a corresponding 'ip6.arpa' reverse mapping PTR record containing the same rdata.

References

Normative References

RFC2119 Bradner, S., "Key words for use in RFCs to Indicate

          Requirement Levels", BCP 14, RFC 2119,
          DOI 10.17487/RFC2119, March 1997,
          <https://www.rfc-editor.org/info/rfc2119>.

RFC3646 Droms, R., Ed., "DNS Configuration options for Dynamic

          Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
          DOI 10.17487/RFC3646, December 2003,
          <https://www.rfc-editor.org/info/rfc3646>.

RFC6146 Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful

          NAT64: Network Address and Protocol Translation from IPv6
          Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
          April 2011, <https://www.rfc-editor.org/info/rfc6146>.

RFC6147 Bagnulo, M., Sullivan, A., Matthews, P., and I. van

          Beijnum, "DNS64: DNS Extensions for Network Address
          Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
          DOI 10.17487/RFC6147, April 2011,
          <https://www.rfc-editor.org/info/rfc6147>.

RFC6761 Cheshire, S. and M. Krochmal, "Special-Use Domain Names",

          RFC 6761, DOI 10.17487/RFC6761, February 2013,
          <https://www.rfc-editor.org/info/rfc6761>.

RFC7050 Savolainen, T., Korhonen, J., and D. Wing, "Discovery of

          the IPv6 Prefix Used for IPv6 Address Synthesis",
          RFC 7050, DOI 10.17487/RFC7050, November 2013,
          <https://www.rfc-editor.org/info/rfc7050>.

RFC8106 Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,

          "IPv6 Router Advertisement Options for DNS Configuration",
          RFC 8106, DOI 10.17487/RFC8106, March 2017,
          <https://www.rfc-editor.org/info/rfc8106>.

RFC8174 Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC

          2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
          May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Informative References

RFC6303 Andrews, M., "Locally Served DNS Zones", BCP 163,

          RFC 6303, DOI 10.17487/RFC6303, July 2011,
          <https://www.rfc-editor.org/info/rfc6303>.

RFC8244 Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain

          Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244,
          October 2017, <https://www.rfc-editor.org/info/rfc8244>.

RFC8499 Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS

          Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
          January 2019, <https://www.rfc-editor.org/info/rfc8499>.

[SUDN] IANA, "Special-Use Domain Names",

          <https://www.iana.org/assignments/special-use-domain-
          names/>.

[SUv4] IANA, "IANA IPv4 Special-Purpose Address Registry",

          <https://www.iana.org/assignments/iana-ipv4-special-
          registry/>.

[DNS1] Cloudflare, "1.1.1.1 - The free app that makes your

          Internet safer.", <https://1.1.1.1/>.

[DNS8] Google, "Google Public DNS",

          <https://developers.google.com/speed/public-dns/>.

[DNS9] Quad9, "Internet Security and Privacy In a Few Easy

          Steps", <https://quad9.net/>.

Appendix A. Example BIND 9 Configuration

A BIND 9 recursive resolver can be configured to act as authoritative for the necessary DNS64 names as described below.

In /etc/named.conf, the following line is added:

  zone "ipv4only.arpa"            { type master; file "ipv4only"; };

The file /var/named/ipv4only is created with the following content:

  $TTL 86400               ; Default TTL 24 hours
  @ IN SOA nameserver.example. admin.nameserver.example. (
           2016052400      ; Serial
           7200            ; Refresh ( 7200 = 2 hours)
           3600            ; Retry   ( 3600 = 1 hour)
           15724800        ; Expire  (15724800 = 6 months)
           60              ; Minimum
           )
  @ IN NS  nameserver.example.

  @ IN A    192.0.0.170
  @ IN A    192.0.0.171
  @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix
  @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here

Acknowledgements

Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for devising the NAT64 Prefix Discovery mechanism RFC7050 and for their feedback on this document.

Thanks to Geoff Huston for his feedback on this document.

Thanks to Erik Kline for pointing out that the in-addr.arpa names are special, too.

Thanks to Mark Andrews for conclusively pointing out the reasons why the 'ipv4only.arpa' zone must be an insecure delegation in order for the NAT64 Prefix Discovery mechanism RFC7050 to work and for many other very helpful comments.

Thanks particularly to Lorenzo Colitti for an especially spirited hallway discussion at IETF 96 in Berlin, which lead directly to significant improvements in how this document presents the issues.

Thanks to Scott Bradner, Bernie Volz, Barry Leiba, Mirja Kuehlewind, Suresh Krishnan, Benjamin Kaduk, Roman Danyliw, Eric Vyncke, and the other IESG reviewers for their thoughtful feedback.

Thanks to Dave Thaler and Warren Kumari for generously helping shepherd this document through the publication process.

Authors' Addresses

Stuart Cheshire Apple Inc. One Apple Park Way Cupertino, California 95014 United States of America

Phone: +1 (408) 996-1010 Email: [email protected]

David Schinazi Google LLC 1600 Amphitheatre Parkway Mountain View, California 94043 United States of America

Email: [email protected]

Anonymous

Search

Difference between revisions of "RFC8880"

Namespaces

More

Page actions

Latest revision as of 11:25, 30 October 2020

Contents

Introduction

Conventions and Terminology

Reasons to Declare 'ipv4only.arpa' as Special

Consequences of 'ipv4only.arpa' Not Being Declared Special

Consequences for Name Resolution APIs and Libraries

Consequences for DNS64 Implementations

Remedies

Security Considerations

IANA Considerations

Domain Name Reservation Considerations

Special Use Domain Name 'ipv4only.arpa'

Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa'

ip6.arpa Reverse Mapping PTR Records

References

Normative References

Informative References

Navigation

Navigation

Wiki tools

Wiki tools

@@ Line 1: / Line 1: @@
 Internet Engineering Task Force (IETF)                      S. Cheshire
@@ Line 9: / Line 7: @@
 ISSN: 2070-1721                                              August 2020
+            Special Use Domain Name 'ipv4only.arpa'
-                Special Use Domain Name 'ipv4only.arpa'
+'''Abstract'''
-Abstract
+NAT64 (Network Address and Protocol Translation from IPv6 Clients to
+IPv4 Servers) allows client devices using IPv6 to communicate with
+servers that have only IPv4 connectivity.
-  NAT64 (Network Address and Protocol Translation from IPv6 Clients to
+The specification for how a client discovers its local network's
-  IPv4 Servers) allows client devices using IPv6 to communicate with
+NAT64 prefix ([[RFC7050|RFC 7050]]) defines the special name 'ipv4only.arpa' for
-  servers that have only IPv4 connectivity.
+this purpose.  However, in its Domain Name Reservation Considerations
+section (Section 8.1), that specification ([[RFC7050|RFC 7050]]) indicates that
+the name actually has no particularly special properties that would
+require special handling.
-  The specification for how a client discovers its local network's
+Consequently, despite the well-articulated special purpose of the
-  NAT64 prefix (RFC 7050) defines the special name 'ipv4only.arpa' for
+name, 'ipv4only.arpa' was not recorded in the Special-Use Domain
-  this purpose.  However, in its Domain Name Reservation Considerations
+Names registry as a name with special properties.
-  section (Section 8.1), that specification (RFC 7050) indicates that
-  the name actually has no particularly special properties that would
-  require special handling.
-  Consequently, despite the well-articulated special purpose of the
+This document updates [[RFC7050|RFC 7050]].  It describes the special treatment
-  name, 'ipv4only.arpa' was not recorded in the Special-Use Domain
+required and formally declares the special properties of the name.
-  Names registry as a name with special properties.
+It also adds similar declarations for the corresponding reverse
+mapping names.
-  This document updates RFC 7050.  It describes the special treatment
+'''Status of This Memo'''
-  required and formally declares the special properties of the name.
-  It also adds similar declarations for the corresponding reverse
-  mapping names.
-Status of This Memo
+This is an Internet Standards Track document.
-  This is an Internet Standards Track document.
+This document is a product of the Internet Engineering Task Force
+(IETF).  It represents the consensus of the IETF community.  It has
+received public review and has been approved for publication by the
+Internet Engineering Steering Group (IESG).  Further information on
+Internet Standards is available in Section 2 of [[RFC7841|RFC 7841]].
-  This document is a product of the Internet Engineering Task Force
+Information about the current status of this document, any errata,
-  (IETF).  It represents the consensus of the IETF community.  It has
+and how to provide feedback on it may be obtained at
-  received public review and has been approved for publication by the
+https://www.rfc-editor.org/info/rfc8880.
-  Internet Engineering Steering Group (IESG).  Further information on
-  Internet Standards is available in Section 2 of RFC 7841.
-  Information about the current status of this document, any errata,
+'''Copyright Notice'''
-  and how to provide feedback on it may be obtained at
-  https://www.rfc-editor.org/info/rfc8880.
-Copyright Notice
+Copyright (c) 2020 IETF Trust and the persons identified as the
+document authors.  All rights reserved.
-  Copyright (c) 2020 IETF Trust and the persons identified as the
+This document is subject to [[BCP78|BCP 78]] and the IETF Trust's Legal
-  document authors.  All rights reserved.
+Provisions Relating to IETF Documents
+(https://trustee.ietf.org/license-info) in effect on the date of
+publication of this document.  Please review these documents
+carefully, as they describe your rights and restrictions with respect
+to this document.  Code Components extracted from this document must
+include Simplified BSD License text as described in Section 4.e of
+the Trust Legal Provisions and are provided without warranty as
+described in the Simplified BSD License.
-  This document is subject to BCP 78 and the IETF Trust's Legal
+.  Introduction
-  Provisions Relating to IETF Documents
+.1.  Conventions and Terminology
-  (https://trustee.ietf.org/license-info) in effect on the date of
+.  Reasons to Declare 'ipv4only.arpa' as Special
-  publication of this document.  Please review these documents
+.  Consequences of 'ipv4only.arpa' Not Being Declared Special
-  carefully, as they describe your rights and restrictions with respect
+.1.  Consequences for Name Resolution APIs and Libraries
-  to this document.  Code Components extracted from this document must
+.2.  Consequences for DNS64 Implementations
-  include Simplified BSD License text as described in Section 4.e of
+.  Remedies
-  the Trust Legal Provisions and are provided without warranty as
+.  Security Considerations
-  described in the Simplified BSD License.
+.  IANA Considerations
+.  Domain Name Reservation Considerations
+.1.  Special Use Domain Name 'ipv4only.arpa'
+.2.  Names '170.0.0.192.in-addr.arpa' and
+        '171.0.0.192.in-addr.arpa'
+.2.1.  ip6.arpa Reverse Mapping PTR Records
+.  References
+.1.  Normative References
+.2.  Informative References
+Appendix A.  Example BIND 9 Configuration
+Acknowledgements
+Authors' Addresses
-Table of Contents
+== Introduction ==
-.  Introduction
+NAT64 (Network Address and Protocol Translation from IPv6 Clients to
-.1.  Conventions and Terminology
+IPv4 Servers) [[RFC6146]] allows client devices using IPv6 to
-.  Reasons to Declare 'ipv4only.arpa' as Special
+communicate with servers that have only IPv4 connectivity.
-.  Consequences of 'ipv4only.arpa' Not Being Declared Special
-.1.  Consequences for Name Resolution APIs and Libraries
-.2.  Consequences for DNS64 Implementations
-.  Remedies
-.  Security Considerations
-.  IANA Considerations
-.  Domain Name Reservation Considerations
-.1.  Special Use Domain Name 'ipv4only.arpa'
-.2.  Names '170.0.0.192.in-addr.arpa' and
-          '171.0.0.192.in-addr.arpa'
-.2.1.  ip6.arpa Reverse Mapping PTR Records
-.  References
-.1.  Normative References
-.2.  Informative References
-  Appendix A.  Example BIND 9 Configuration
-  Acknowledgements
-  Authors' Addresses
-.  Introduction
+DNS64 (DNS Extensions for Network Address Translation from IPv6
+Clients to IPv4 Servers) [[RFC6147]] facilitates use of NAT64 by
+clients by generating synthesized IPv6 addresses for IPv4 servers
+that have no IPv6 address of their own, or by communicating the local
+network's NAT64 prefix to clients so that they can perform the IPv6
+address synthesis themselves.
-  NAT64 (Network Address and Protocol Translation from IPv6 Clients to
+The specification for how a client discovers its local network's
-  IPv4 Servers) [RFC6146] allows client devices using IPv6 to
+NAT64 prefix [[RFC7050]] defines the special name 'ipv4only.arpa' for
-  communicate with servers that have only IPv4 connectivity.
+this purpose, but in its Domain Name Reservation Considerations
+section (Section 8.1), that specification [[RFC7050]] indicates that
+the name actually has no particularly special properties that would
+require special handling and does not request IANA to record the name
+in the Special-Use Domain Names registry [SUDN].
-  DNS64 (DNS Extensions for Network Address Translation from IPv6
+Consequently, despite the well-articulated special purpose of the
-  Clients to IPv4 Servers) [RFC6147] facilitates use of NAT64 by
+name, 'ipv4only.arpa' was not recorded in the Special-Use Domain
-  clients by generating synthesized IPv6 addresses for IPv4 servers
+Names registry [SUDN] as a name with special properties.
-  that have no IPv6 address of their own, or by communicating the local
-  network's NAT64 prefix to clients so that they can perform the IPv6
-  address synthesis themselves.
-  The specification for how a client discovers its local network's
+This omission was discussed in the document "Special-Use Domain Names
-  NAT64 prefix [RFC7050] defines the special name 'ipv4only.arpa' for
+Problem Statement" [[RFC8244]].
-  this purpose, but in its Domain Name Reservation Considerations
-  section (Section 8.1), that specification [RFC7050] indicates that
-  the name actually has no particularly special properties that would
-  require special handling and does not request IANA to record the name
-  in the Special-Use Domain Names registry [SUDN].
-  Consequently, despite the well-articulated special purpose of the
+As a result of this omission, in cases where software needs to give
-  name, 'ipv4only.arpa' was not recorded in the Special-Use Domain
+this name special treatment in order for it to work correctly, there
-  Names registry [SUDN] as a name with special properties.
+was no clear mandate authorizing software authors to implement that
+special treatment.  Software implementers were left with the choice
+between not implementing the special behavior necessary for the name
+queries to work correctly or implementing the special behavior and
+being accused of being noncompliant with IETF DNS specifications.
-  This omission was discussed in the document "Special-Use Domain Names
+This document describes the special treatment required, formally
-  Problem Statement" [RFC8244].
+declares the special properties of the name, and adds similar
+declarations for the corresponding reverse mapping names.
-  As a result of this omission, in cases where software needs to give
+=== Conventions and Terminology ===
-  this name special treatment in order for it to work correctly, there
-  was no clear mandate authorizing software authors to implement that
-  special treatment.  Software implementers were left with the choice
-  between not implementing the special behavior necessary for the name
-  queries to work correctly or implementing the special behavior and
-  being accused of being noncompliant with IETF DNS specifications.
-  This document describes the special treatment required, formally
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-  declares the special properties of the name, and adds similar
+"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
-  declarations for the corresponding reverse mapping names.
+"OPTIONAL" in this document are to be interpreted as described in
+[[BCP14|BCP 14]] [[RFC2119]] [[RFC8174]] when, and only when, they appear in all
+capitals, as shown here.
-.1.  Conventions and Terminology
+== Reasons to Declare 'ipv4only.arpa' as Special ==
-  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+The hostname 'ipv4only.arpa' is peculiar in that it was never
-  "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+intended to be treated like a normal hostname.
-  "OPTIONAL" in this document are to be interpreted as described in
-  BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
-  capitals, as shown here.
-.  Reasons to Declare 'ipv4only.arpa' as Special
+A typical client never has any reason to look up the IPv4 address
+records for 'ipv4only.arpa': no normal user is ever trying to view a
+website hosted at that domain name or trying to send email to an
+email address at that domain name.  The name 'ipv4only.arpa' is
+already known, by IETF specification [[RFC7050]], to have exactly two
+IPv4 address records: 192.0.0.170 and 192.0.0.171.  No client ever
+has to look up the name in order to learn those two addresses.
-  The hostname 'ipv4only.arpa' is peculiar in that it was never
+In contrast, clients often look up the IPv6 AAAA address records for
-  intended to be treated like a normal hostname.
+'ipv4only.arpa', which is contrary to general DNS expectations, given
+that it is already known, by IETF specification [[RFC7050]], that
+'ipv4only.arpa' is an IPv4-only name, and it has no IPv6 AAAA address
+records.  And yet, clients expect to receive, and do in fact receive,
+positive answers for these IPv6 AAAA address records that apparently
+should not exist.
-  A typical client never has any reason to look up the IPv4 address
+This odd query behavior comes not because clients are using DNS to
-  records for 'ipv4only.arpa': no normal user is ever trying to view a
+learn legitimate answers from the name's legitimate authoritative
-  website hosted at that domain name or trying to send email to an
+server, but because the DNS protocol has, in effect, been co-opted as
-  email address at that domain name.  The name 'ipv4only.arpa' is
+an improvised client-to-middlebox communication protocol to look for
-  already known, by IETF specification [RFC7050], to have exactly two
+a DNS64/NAT64 [[RFC6147]] [[RFC6146]] gateway and, if one is present, to
-  IPv4 address records: 192.0.0.170 and 192.0.0.171.  No client ever
+request that it disclose the prefix it is using for IPv6 address
-  has to look up the name in order to learn those two addresses.
+synthesis.
-  In contrast, clients often look up the IPv6 AAAA address records for
+This use of specially crafted DNS queries as an improvised client-to-
-  'ipv4only.arpa', which is contrary to general DNS expectations, given
+middlebox communication protocol has a number of specific
-  that it is already known, by IETF specification [RFC7050], that
+consequences, outlined below, which client software needs to take
-  'ipv4only.arpa' is an IPv4-only name, and it has no IPv6 AAAA address
+into account if the queries are to produce the desired results.  This
-  records.  And yet, clients expect to receive, and do in fact receive,
+is particularly true when used on a multihomed host or when a VPN
-  positive answers for these IPv6 AAAA address records that apparently
+tunnel is in use.  The name 'ipv4only.arpa' is most definitely a
-  should not exist.
+special name and needs to be listed in IANA's registry along with
+other DNS names that have special uses [SUDN].
-  This odd query behavior comes not because clients are using DNS to
+== Consequences of 'ipv4only.arpa' Not Being Declared Special ==
-  learn legitimate answers from the name's legitimate authoritative
-  server, but because the DNS protocol has, in effect, been co-opted as
-  an improvised client-to-middlebox communication protocol to look for
-  a DNS64/NAT64 [RFC6147] [RFC6146] gateway and, if one is present, to
-  request that it disclose the prefix it is using for IPv6 address
-  synthesis.
-  This use of specially crafted DNS queries as an improvised client-to-
+As a result of the original specification [[RFC7050]] not formally
-  middlebox communication protocol has a number of specific
+declaring 'ipv4only.arpa' to have special properties, there was no
-  consequences, outlined below, which client software needs to take
+clear mandate for DNS software to treat this name specially.  In
-  into account if the queries are to produce the desired results.  This
+particular, this lack of mandate for special treatment is relevant
-  is particularly true when used on a multihomed host or when a VPN
+(a) to the name resolution APIs and libraries on client devices and
-  tunnel is in use.  The name 'ipv4only.arpa' is most definitely a
+(b) to DNS64 [[RFC6147]] implementations.  These two aspects are
-  special name and needs to be listed in IANA's registry along with
+discussed in more detail below.
-  other DNS names that have special uses [SUDN].
-.  Consequences of 'ipv4only.arpa' Not Being Declared Special
+=== Consequences for Name Resolution APIs and Libraries ===
-  As a result of the original specification [RFC7050] not formally
+A serious problem can occur with DNS64/NAT64 when a device is
-  declaring 'ipv4only.arpa' to have special properties, there was no
+configured to use a recursive resolver other than the one it learned
-  clear mandate for DNS software to treat this name specially.  In
+from the network.
-  particular, this lack of mandate for special treatment is relevant
-  (a) to the name resolution APIs and libraries on client devices and
-  (b) to DNS64 [RFC6147] implementations.  These two aspects are
-  discussed in more detail below.
-.1.  Consequences for Name Resolution APIs and Libraries
+A device joining a NAT64 network will learn the recursive resolver
+recommended for that network, typically via IPv6 Router Advertisement
+Options [[RFC8106]] or via DHCPv6 [[RFC3646]].  On a NAT64 network, it is
+essential that the client use the DNS64 recursive resolver
+recommended for that network, since only that recursive resolver can
+be relied upon to know the appropriate prefix(es) to use for
+synthesizing IPv6 addresses that will be acceptable to that NAT64
+gateway.
-  A serious problem can occur with DNS64/NAT64 when a device is
+However, it is becoming increasingly common for users to manually
-  configured to use a recursive resolver other than the one it learned
+override their default DNS configuration because they wish to use
-  from the network.
+some other public recursive resolver on the Internet, which may offer
+better speed, reliability, or privacy than the local network's
+default recursive resolver.  At the time of writing, examples of
+widely known public recursive resolver services include Cloudflare
+Public DNS [DNS1], Google Public DNS [DNS8], and Quad9 [DNS9].
-  A device joining a NAT64 network will learn the recursive resolver
+Another common scenario is the use of corporate or personal VPN
-  recommended for that network, typically via IPv6 Router Advertisement
+client software.  Both for privacy reasons and because the local
-  Options [RFC8106] or via DHCPv6 [RFC3646].  On a NAT64 network, it is
+network's recursive resolver will typically be unable to provide
-  essential that the client use the DNS64 recursive resolver
+answers for the company's private internal host names, VPN client
-  recommended for that network, since only that recursive resolver can
+software usually overrides the local network's default configuration
-  be relied upon to know the appropriate prefix(es) to use for
+to divert some or all DNS requests so that they go to the company's
-  synthesizing IPv6 addresses that will be acceptable to that NAT64
+own private internal recursive resolver instead of to the default
-  gateway.
+recursive resolver the client learned from its local network.  (The
+company's own private internal recursive resolvers typically have
+addresses that are themselves reached through the VPN tunnel, not via
+the public Internet.)  As with the case described above of public
+recursive resolver services, the company's private internal recursive
+resolver cannot be expected to be able to synthesize IPv6 addresses
+correctly for use with the local network's NAT64 gateway, because the
+company's private internal recursive resolver is unlikely to be aware
+of the NAT64 prefix in use on the NAT64 network to which the client
+device is currently attached.  It is clear that a single recursive
+resolver cannot meet both needs.  The local network's recursive
+resolver cannot be expected to give answers for some unknown
+company's private internal host names, and a company's private
+internal recursive resolver cannot be expected to give correctly
+synthesized IPv6 addresses suitable for some unknown local network's
+NAT64 gateway.
-  However, it is becoming increasingly common for users to manually
+Note that multiple NAT64 services may be simultaneously available to
-  override their default DNS configuration because they wish to use
+a client.  For example, the local network may provide NAT64 service
-  some other public recursive resolver on the Internet, which may offer
+(to allow an IPv6-only client device to access IPv4-only Internet
-  better speed, reliability, or privacy than the local network's
+services), while at the same time, a corporate VPN may also provide
-  default recursive resolver.  At the time of writing, examples of
+NAT64 service (to allow a client connecting via an IPv6-only VPN
-  widely known public recursive resolver services include Cloudflare
+tunnel to access IPv4-only corporate services).  The NAT64 address
-  Public DNS [DNS1], Google Public DNS [DNS8], and Quad9 [DNS9].
+synthesis prefixes for the two NAT64 services may be different.  In
+this case, it is essential that the NAT64 address synthesis prefix
+used on the local network be the prefix learned from the local
+network's recursive resolver, and the NAT64 address synthesis prefix
+used on the VPN tunnel be the prefix learned from the VPN tunnel's
+recursive resolver.
-  Another common scenario is the use of corporate or personal VPN
+The difficulty here arises because DNS is being used for two
-  client software.  Both for privacy reasons and because the local
+unrelated purposes.  The first purpose is retrieving data from a
-  network's recursive resolver will typically be unable to provide
+(nominally) global database, generally retrieving the IP address(es)
-  answers for the company's private internal host names, VPN client
+associated with a hostname.  The second purpose is using the DNS
-  software usually overrides the local network's default configuration
+protocol as a middlebox communication protocol, to interrogate the
-  to divert some or all DNS requests so that they go to the company's
+local network infrastructure to discover the IPv6 prefix(es) in use
-  own private internal recursive resolver instead of to the default
+by the local NAT64 gateway for address synthesis.
-  recursive resolver the client learned from its local network.  (The
-  company's own private internal recursive resolvers typically have
-  addresses that are themselves reached through the VPN tunnel, not via
-  the public Internet.)  As with the case described above of public
-  recursive resolver services, the company's private internal recursive
-  resolver cannot be expected to be able to synthesize IPv6 addresses
-  correctly for use with the local network's NAT64 gateway, because the
-  company's private internal recursive resolver is unlikely to be aware
-  of the NAT64 prefix in use on the NAT64 network to which the client
-  device is currently attached.  It is clear that a single recursive
-  resolver cannot meet both needs.  The local network's recursive
-  resolver cannot be expected to give answers for some unknown
-  company's private internal host names, and a company's private
-  internal recursive resolver cannot be expected to give correctly
-  synthesized IPv6 addresses suitable for some unknown local network's
-  NAT64 gateway.
-  Note that multiple NAT64 services may be simultaneously available to
+=== Consequences for DNS64 Implementations ===
-  a client.  For example, the local network may provide NAT64 service
-  (to allow an IPv6-only client device to access IPv4-only Internet
-  services), while at the same time, a corporate VPN may also provide
-  NAT64 service (to allow a client connecting via an IPv6-only VPN
-  tunnel to access IPv4-only corporate services).  The NAT64 address
-  synthesis prefixes for the two NAT64 services may be different.  In
-  this case, it is essential that the NAT64 address synthesis prefix
-  used on the local network be the prefix learned from the local
-  network's recursive resolver, and the NAT64 address synthesis prefix
-  used on the VPN tunnel be the prefix learned from the VPN tunnel's
-  recursive resolver.
-  The difficulty here arises because DNS is being used for two
+As a result of there being no mandate for special treatment, queries
-  unrelated purposes.  The first purpose is retrieving data from a
+for 'ipv4only.arpa' had to be handled normally, resulting in DNS64
-  (nominally) global database, generally retrieving the IP address(es)
+gateways performing unnecessary queries to the authoritative 'arpa'
-  associated with a hostname.  The second purpose is using the DNS
+name servers, both unnecessary IPv6 address record queries (DNS qtype
-  protocol as a middlebox communication protocol, to interrogate the
+"AAAA", always returning negative responses) and unnecessary IPv4
-  local network infrastructure to discover the IPv6 prefix(es) in use
+address record queries (DNS qtype "A", always returning the same
-  by the local NAT64 gateway for address synthesis.
+positive responses).
-.2.  Consequences for DNS64 Implementations
+Having DNS64 gateways around the world issue these queries generated
+additional load on the authoritative 'arpa' name servers, which was
+redundant when the name 'ipv4only.arpa' is defined, by IETF
+specification [[RFC7050]], to have exactly two IPv4 address records,
+.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address
+records.
-  As a result of there being no mandate for special treatment, queries
+Also, at times, for reasons that remain unclear, the authoritative
-  for 'ipv4only.arpa' had to be handled normally, resulting in DNS64
+'arpa' name servers have been observed to be slow or unresponsive.
-  gateways performing unnecessary queries to the authoritative 'arpa'
+The failures of these 'ipv4only.arpa' queries result in unnecessary
-  name servers, both unnecessary IPv6 address record queries (DNS qtype
+failures of the DNS64 gateways and of the client devices that depend
-  "AAAA", always returning negative responses) and unnecessary IPv4
+on them for DNS64 [[RFC6147]] address synthesis.
-  address record queries (DNS qtype "A", always returning the same
-  positive responses).
-  Having DNS64 gateways around the world issue these queries generated
+Even when the authoritative 'arpa' name servers are operating
-  additional load on the authoritative 'arpa' name servers, which was
+correctly, having to perform an unnecessary query to obtain an answer
-  redundant when the name 'ipv4only.arpa' is defined, by IETF
+that is already known in advance can add precious milliseconds of
-  specification [RFC7050], to have exactly two IPv4 address records,
+delay, affecting user experience on the client devices waiting for
-.0.0.170 and 192.0.0.171, and no other IPv4 or IPv6 address
+those synthesized replies.
-  records.
-  Also, at times, for reasons that remain unclear, the authoritative
+== Remedies ==
-  'arpa' name servers have been observed to be slow or unresponsive.
-  The failures of these 'ipv4only.arpa' queries result in unnecessary
-  failures of the DNS64 gateways and of the client devices that depend
-  on them for DNS64 [RFC6147] address synthesis.
-  Even when the authoritative 'arpa' name servers are operating
+This document leverages operational experience to update the Domain
-  correctly, having to perform an unnecessary query to obtain an answer
+Name Reservation Considerations section [[RFC6761]] of the earlier
-  that is already known in advance can add precious milliseconds of
+prefix discovery specification [[RFC7050]] with one that more
-  delay, affecting user experience on the client devices waiting for
+accurately lists the actual special properties of the name
-  those synthesized replies.
+'ipv4only.arpa', so that software can legitimately implement the
+correct behavior necessary for better performance, better
+reliability, and correct operation.
-.  Remedies
+These changes affect two bodies of software: (a) the name resolution
+APIs and libraries on client devices, and (b) DNS64 implementations.
-  This document leverages operational experience to update the Domain
+The new special rules specified in this document for name resolution
-  Name Reservation Considerations section [RFC6761] of the earlier
+APIs and libraries state how they should select which recursive
-  prefix discovery specification [RFC7050] with one that more
+resolver to query to learn the IPv6 address synthesis prefix in use
-  accurately lists the actual special properties of the name
+on a particular physical or virtual interface.  Specifically, when
-  'ipv4only.arpa', so that software can legitimately implement the
+querying for the name 'ipv4only.arpa', name resolution APIs and
-  correct behavior necessary for better performance, better
+libraries should use the recursive resolver recommended by the
-  reliability, and correct operation.
+network for the interface in question rather than a recursive
+resolver configured manually, a recursive resolver configured by VPN
+software, or a full-service recursive resolver running on the local
+host.  Superficially, this might seem like a security issue, since
+the user might have explicitly configured the particular DNS resolver
+they wish to use, and rather than using that, the name resolution
+code ignores the user's stated preference and uses untrusted input
+received from the network instead.  However, the 'ipv4only.arpa'
+query is not really a DNS query in the usual sense; even though it
+may look like a DNS query, it is actually an improvised client-to-
+middlebox communication protocol in disguise.  For NAT64 to work at
+all, it is necessary for the interface on which NAT64 translation is
+being performed to tell the host the address of the DNS64 recursive
+resolver the host must use to learn the NAT64 prefix being used by
+that NAT64.  This is typically done via IPv6 Router Advertisement
+Options for DNS Configuration [[RFC8106]] or via DNS Configuration
+options for DHCPv6 [[RFC3646]].
-  These changes affect two bodies of software: (a) the name resolution
+The new special rules specified in this document for DNS64
-  APIs and libraries on client devices, and (b) DNS64 implementations.
+implementations recommend that they avoid performing run-time network
+queries for values that are known to be fixed by specification.
-  The new special rules specified in this document for name resolution
+A useful property of the way NAT64 Prefix Discovery [[RFC7050]] was
-  APIs and libraries state how they should select which recursive
+originally specified was that it allowed for incremental deployment.
-  resolver to query to learn the IPv6 address synthesis prefix in use
+Even if existing DNS64 gateways, that were unaware of the special
-  on a particular physical or virtual interface.  Specifically, when
+'ipv4only.arpa' name, were already deployed, once IANA created the
-  querying for the name 'ipv4only.arpa', name resolution APIs and
+appropriate 'ipv4only.arpa' records, clients could begin to use the
-  libraries should use the recursive resolver recommended by the
+new facility immediately.  Clients could send their special queries
-  network for the interface in question rather than a recursive
+for 'ipv4only.arpa' to an ipv4only-unaware DNS64 gateway, and, as a
-  resolver configured manually, a recursive resolver configured by VPN
+side effect of its usual query processing (after a query to IANA's
-  software, or a full-service recursive resolver running on the local
+servers), the DNS64 gateway would then generate the correct
-  host.  Superficially, this might seem like a security issue, since
+synthesized response.
-  the user might have explicitly configured the particular DNS resolver
-  they wish to use, and rather than using that, the name resolution
-  code ignores the user's stated preference and uses untrusted input
-  received from the network instead.  However, the 'ipv4only.arpa'
-  query is not really a DNS query in the usual sense; even though it
-  may look like a DNS query, it is actually an improvised client-to-
-  middlebox communication protocol in disguise.  For NAT64 to work at
-  all, it is necessary for the interface on which NAT64 translation is
-  being performed to tell the host the address of the DNS64 recursive
-  resolver the host must use to learn the NAT64 prefix being used by
-  that NAT64.  This is typically done via IPv6 Router Advertisement
-  Options for DNS Configuration [RFC8106] or via DNS Configuration
-  options for DHCPv6 [RFC3646].
-  The new special rules specified in this document for DNS64
+While this was a useful transition strategy to enable rapid adoption,
-  implementations recommend that they avoid performing run-time network
+it is not the ideal end situation.  For better performance, better
-  queries for values that are known to be fixed by specification.
+reliability, and lower load in IANA's servers, it is preferable for
+DNS64 gateways to be aware of the special 'ipv4only.arpa' name so
+that they can avoid issuing unnecessary queries.  Network operators
+who wish to provide reliable, high-performance service to their
+customers are motivated to prefer DNS64 gateways that recognize the
+special 'ipv4only.arpa' name and apply the appropriate optimizations.
-  A useful property of the way NAT64 Prefix Discovery [RFC7050] was
+== Security Considerations ==
-  originally specified was that it allowed for incremental deployment.
-  Even if existing DNS64 gateways, that were unaware of the special
-  'ipv4only.arpa' name, were already deployed, once IANA created the
-  appropriate 'ipv4only.arpa' records, clients could begin to use the
-  new facility immediately.  Clients could send their special queries
-  for 'ipv4only.arpa' to an ipv4only-unaware DNS64 gateway, and, as a
-  side effect of its usual query processing (after a query to IANA's
-  servers), the DNS64 gateway would then generate the correct
-  synthesized response.
-  While this was a useful transition strategy to enable rapid adoption,
+One of the known concerns with DNS64 is that it conflicts with
-  it is not the ideal end situation.  For better performance, better
+DNSSEC.  If DNSSEC is used to assert cryptographically that a name
-  reliability, and lower load in IANA's servers, it is preferable for
+has no IPv6 AAAA records, then this interferes with using DNS64
-  DNS64 gateways to be aware of the special 'ipv4only.arpa' name so
+address synthesis to tell a client that those nonexistent IPv6 AAAA
-  that they can avoid issuing unnecessary queries.  Network operators
+records do exist.
-  who wish to provide reliable, high-performance service to their
-  customers are motivated to prefer DNS64 gateways that recognize the
-  special 'ipv4only.arpa' name and apply the appropriate optimizations.
-.  Security Considerations
+Section 3 of the DNS64 specification [[RFC6147]] discusses this:
-  One of the known concerns with DNS64 is that it conflicts with
+|  ... DNS64 receives a query with the DO bit set and the CD bit set.
-  DNSSEC.  If DNSSEC is used to assert cryptographically that a name
+|  In this case, the DNS64 is supposed to pass on all the data it
-  has no IPv6 AAAA records, then this interferes with using DNS64
+|  gets to the query initiator.  This case will not work with DNS64,
-  address synthesis to tell a client that those nonexistent IPv6 AAAA
+|  unless the validating resolver is prepared to do DNS64 itself.
-  records do exist.
-  Section 3 of the DNS64 specification [RFC6147] discusses this:
+The NAT64 Prefix Discovery specification [[RFC7050]] provides the
+mechanism for the query initiator to learn the NAT64 prefix so that
+it can do its own validation and DNS64 synthesis as described above.
+With this mechanism, the client can (i) interrogate the local DNS64/
+NAT64 gateway (with an 'ipv4only.arpa' query) to learn the IPv6
+address synthesis prefix, (ii) query for the (signed) IPv4 address
+records for the desired hostname and validate the response, and then
+(iii) perform its own IPv6 address synthesis locally, combining the
+IPv6 address synthesis prefix learned from the local DNS64/NAT64
+gateway with the validated DNSSEC-signed data learned from the global
+Domain Name System.
-  |  ... DNS64 receives a query with the DO bit set and the CD bit set.
+It is conceivable that, over time, if DNSSEC adoption continues to
-  |  In this case, the DNS64 is supposed to pass on all the data it
+grow, the majority of clients could move to this validate-and-
-  |  gets to the query initiator.  This case will not work with DNS64,
+synthesize-locally model, which reduces the DNS64 machinery to the
-  |  unless the validating resolver is prepared to do DNS64 itself.
+vestigial role of simply responding to the 'ipv4only.arpa' query to
+report the local IPv6 address synthesis prefix.  At the time of
+publication, network operators have been observed "in the wild"
+deploying NAT64 service with DNS recursive resolvers that reply to
+'ipv4only.arpa' queries but otherwise perform no other NAT64 address
+synthesis.  In no case does the client care what answer(s) the
+authoritative 'arpa' name servers might give for that query.  The
+'ipv4only.arpa' query is being used purely as a local client-to-
+middlebox communication message.
-  The NAT64 Prefix Discovery specification [RFC7050] provides the
+This validate-and-synthesize-locally approach is even more attractive
-  mechanism for the query initiator to learn the NAT64 prefix so that
+if it does not create an additional dependency on the authoritative
-  it can do its own validation and DNS64 synthesis as described above.
+'arpa' name servers to answer a query that is unnecessary because the
-  With this mechanism, the client can (i) interrogate the local DNS64/
+DNS64/NAT64 gateway already knows the answer before it even issues
-  NAT64 gateway (with an 'ipv4only.arpa' query) to learn the IPv6
+the query.  Avoiding this unnecessary query improves performance and
-  address synthesis prefix, (ii) query for the (signed) IPv4 address
+reliability for the client and reduces unnecessary load for the
-  records for the desired hostname and validate the response, and then
+authoritative 'arpa' name servers.
-  (iii) perform its own IPv6 address synthesis locally, combining the
-  IPv6 address synthesis prefix learned from the local DNS64/NAT64
-  gateway with the validated DNSSEC-signed data learned from the global
-  Domain Name System.
-  It is conceivable that, over time, if DNSSEC adoption continues to
+Hardcoding the known answers for 'ipv4only.arpa' IPv4 address record
-  grow, the majority of clients could move to this validate-and-
+queries (DNS qtype "A") in recursive resolvers also reduces the risk
-  synthesize-locally model, which reduces the DNS64 machinery to the
+of malicious devices intercepting those queries and returning
-  vestigial role of simply responding to the 'ipv4only.arpa' query to
+incorrect answers.  Because the 'ipv4only.arpa' zone has to be an
-  report the local IPv6 address synthesis prefix.  At the time of
+insecure delegation (see below), DNSSEC cannot be used to protect
-  publication, network operators have been observed "in the wild"
+these answers from tampering by malicious devices on the path.
-  deploying NAT64 service with DNS recursive resolvers that reply to
-  'ipv4only.arpa' queries but otherwise perform no other NAT64 address
-  synthesis.  In no case does the client care what answer(s) the
-  authoritative 'arpa' name servers might give for that query.  The
-  'ipv4only.arpa' query is being used purely as a local client-to-
-  middlebox communication message.
-  This validate-and-synthesize-locally approach is even more attractive
+With respect to the question of whether 'ipv4only.arpa' should be a
-  if it does not create an additional dependency on the authoritative
+secure or insecure delegation, we need to consider two paths of
-  'arpa' name servers to answer a query that is unnecessary because the
+information flow through the network:
-  DNS64/NAT64 gateway already knows the answer before it even issues
-  the query.  Avoiding this unnecessary query improves performance and
-  reliability for the client and reduces unnecessary load for the
-  authoritative 'arpa' name servers.
-  Hardcoding the known answers for 'ipv4only.arpa' IPv4 address record
+.  The path from the server authoritative for 'ipv4only.arpa' to the
-  queries (DNS qtype "A") in recursive resolvers also reduces the risk
+    DNS64 recursive resolver
-  of malicious devices intercepting those queries and returning
-  incorrect answers.  Because the 'ipv4only.arpa' zone has to be an
-  insecure delegation (see below), DNSSEC cannot be used to protect
-  these answers from tampering by malicious devices on the path.
-  With respect to the question of whether 'ipv4only.arpa' should be a
+.  The path from the DNS64 recursive resolver to the ultimate client
-  secure or insecure delegation, we need to consider two paths of
-  information flow through the network:
-.  The path from the server authoritative for 'ipv4only.arpa' to the
+The path from the authoritative server to the DNS64 recursive
-      DNS64 recursive resolver
+resolver (queries for IPv4 address records) need not be protected by
+DNSSEC, because the DNS64 recursive resolver already knows, by
+specification, what the answers are.  In principle, if this were a
+secure delegation, and 'ipv4only.arpa' were a signed zone, then the
+path from the authoritative server to the DNS64 recursive resolver
+would still work, but DNSSEC is not necessary here.  Run-time
+cryptographic signatures are not needed to verify compile-time
+constants.  Validating the signatures could only serve to introduce
+potential failures into the system for minimal benefit.
-.  The path from the DNS64 recursive resolver to the ultimate client
+The path from the DNS64 recursive resolver to the ultimate client
+(queries for IPv6 address records) *cannot* be protected by DNSSEC
+because the DNS64 recursive resolver is synthesizing IPv6 address
+answers and does not possess the DNSSEC secret key required to sign
+those answers.
-  The path from the authoritative server to the DNS64 recursive
+Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation
-  resolver (queries for IPv4 address records) need not be protected by
+to give DNS64/NAT64 gateways the freedom to synthesize answers to
-  DNSSEC, because the DNS64 recursive resolver already knows, by
+those queries at will, without the answers being rejected by DNSSEC-
-  specification, what the answers are.  In principle, if this were a
+capable resolvers.  DNSSEC-capable resolvers that follow this
-  secure delegation, and 'ipv4only.arpa' were a signed zone, then the
+specification MUST NOT attempt to validate answers received in
-  path from the authoritative server to the DNS64 recursive resolver
+response to queries for the IPv6 AAAA address records for
-  would still work, but DNSSEC is not necessary here.  Run-time
+'ipv4only.arpa'.  Note that the name 'ipv4only.arpa' has no use
-  cryptographic signatures are not needed to verify compile-time
+outside of being used for this special DNS pseudo-query used to learn
-  constants.  Validating the signatures could only serve to introduce
+the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC
-  potential failures into the system for minimal benefit.
+security for that name is not a problem.
-  The path from the DNS64 recursive resolver to the ultimate client
+The original NAT64 Prefix Discovery specification [[RFC7050]] stated,
-  (queries for IPv6 address records) *cannot* be protected by DNSSEC
+incorrectly:
-  because the DNS64 recursive resolver is synthesizing IPv6 address
-  answers and does not possess the DNSSEC secret key required to sign
-  those answers.
-  Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation
+|  A signed "ipv4only.arpa." allows validating DNS64 servers (see
-  to give DNS64/NAT64 gateways the freedom to synthesize answers to
+|  [[RFC6147]] Section 3, Case 5, for example) to detect malicious AAAA
-  those queries at will, without the answers being rejected by DNSSEC-
+|  resource records.  Therefore, the zone serving the well-known name
-  capable resolvers.  DNSSEC-capable resolvers that follow this
+|  has to be protected with DNSSEC.
-  specification MUST NOT attempt to validate answers received in
-  response to queries for the IPv6 AAAA address records for
-  'ipv4only.arpa'.  Note that the name 'ipv4only.arpa' has no use
-  outside of being used for this special DNS pseudo-query used to learn
-  the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC
-  security for that name is not a problem.
-  The original NAT64 Prefix Discovery specification [RFC7050] stated,
+This document updates the previous specification [[RFC7050]] to correct
-  incorrectly:
+that error.  The 'ipv4only.arpa' zone MUST be an insecure delegation.
-  |  A signed "ipv4only.arpa." allows validating DNS64 servers (see
+== IANA Considerations ==
-  |  [RFC6147] Section 3, Case 5, for example) to detect malicious AAAA
-  |  resource records.  Therefore, the zone serving the well-known name
-  |  has to be protected with DNSSEC.
-  This document updates the previous specification [RFC7050] to correct
+IANA has created an insecure delegation for 'ipv4only.arpa' to allow
-  that error.  The 'ipv4only.arpa' zone MUST be an insecure delegation.
+DNS64 recursive resolvers to create synthesized AAAA answers within
+that zone.
-.  IANA Considerations
+IANA has recorded the following names in the Special-Use Domain Names
+registry [SUDN]:
-   IANA has created an insecure delegation for 'ipv4only.arpa' to allow
+   ipv4only.arpa.
-   DNS64 recursive resolvers to create synthesized AAAA answers within
+.0.0.192.in-addr.arpa.
-   that zone.
+.0.0.192.in-addr.arpa.
-  IANA has recorded the following names in the Special-Use Domain Names
+IANA has recorded the following IPv4 addresses in the IANA IPv4
-  registry [SUDN]:
+Special-Purpose Address Registry [SUv4]:
-      ipv4only.arpa.
+.0.0.170
-.0.0.192.in-addr.arpa.
+.0.0.171
-.0.0.192.in-addr.arpa.
-  IANA has recorded the following IPv4 addresses in the IANA IPv4
+== Domain Name Reservation Considerations ==
-  Special-Purpose Address Registry [SUv4]:
-.0.0.170
+=== Special Use Domain Name 'ipv4only.arpa' ===
-.0.0.171
-.  Domain Name Reservation Considerations
+The name 'ipv4only.arpa' is defined, by IETF specification [[RFC7050]],
+to have two IPv4 address records with rdata 192.0.0.170 and
+.0.0.171.
-.1.  Special Use Domain Name 'ipv4only.arpa'
+When queried via a DNS64 recursive resolver [[RFC6147]], the name
+'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata
+synthesized from a combination of the NAT64 IPv6 prefix(es) and the
+IPv4 addresses 192.0.0.170 and 192.0.0.171.  This can return more
+than one pair of IPv6 addresses if there are multiple NAT64 prefixes.
-  The name 'ipv4only.arpa' is defined, by IETF specification [RFC7050],
+The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records.
-  to have two IPv4 address records with rdata 192.0.0.170 and
+There are no subdomains of 'ipv4only.arpa'.  All names falling below
-.0.0.171.
+'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).
-  When queried via a DNS64 recursive resolver [RFC6147], the name
+The name 'ipv4only.arpa' is special to
-  'ipv4only.arpa' is also defined to have IPv6 AAAA records, with rdata
-  synthesized from a combination of the NAT64 IPv6 prefix(es) and the
-  IPv4 addresses 192.0.0.170 and 192.0.0.171.  This can return more
-  than one pair of IPv6 addresses if there are multiple NAT64 prefixes.
-  The name 'ipv4only.arpa' has no other IPv4 or IPv6 address records.
+a.  client software wishing to perform DNS64 address synthesis,
-  There are no subdomains of 'ipv4only.arpa'.  All names falling below
-  'ipv4only.arpa' are defined to be nonexistent (NXDOMAIN).
-  The name 'ipv4only.arpa' is special to
+b.  APIs responsible for retrieving the correct information, and
-  a.  client software wishing to perform DNS64 address synthesis,
+c.  the DNS64 recursive resolver responding to such requests.
-  b.  APIs responsible for retrieving the correct information, and
+These three considerations are listed in items 2, 3, and 4 below:
-  c.  the DNS64 recursive resolver responding to such requests.
+.  Normal users should never have reason to encounter the
+    'ipv4only.arpa' domain name.  If they do, they should expect
+    queries for 'ipv4only.arpa' to result in the answers required by
+    the specification [[RFC7050]].  Normal users have no need to know
+    that 'ipv4only.arpa' is special.
-  These three considerations are listed in items 2, 3, and 4 below:
+.  Application software may explicitly use the name 'ipv4only.arpa'
+    for DNS64/NAT64 address synthesis and expect to get the answers
+    required by the specification [[RFC7050]].  If application software
+    encounters the name 'ipv4only.arpa' in the normal course of
+    handling user input, the application software should resolve that
+    name as usual and need not treat it in any special way.
-.  Normal users should never have reason to encounter the
+.  Name resolution APIs and libraries MUST recognize 'ipv4only.arpa'
-      'ipv4only.arpa' domain name.  If they do, they should expect
+    as special and MUST give it special treatment.
-      queries for 'ipv4only.arpa' to result in the answers required by
-      the specification [RFC7050].  Normal users have no need to know
-      that 'ipv4only.arpa' is special.
-.  Application software may explicitly use the name 'ipv4only.arpa'
+    Learning a network's NAT64 prefix is, by its nature, an
-      for DNS64/NAT64 address synthesis and expect to get the answers
+    interface-specific operation, and the special DNS query used to
-      required by the specification [RFC7050].  If application software
+    learn this interface-specific NAT64 prefix MUST be sent to the
-      encounters the name 'ipv4only.arpa' in the normal course of
+    DNS recursive resolver address(es) the client learned via the
-      handling user input, the application software should resolve that
+    configuration machinery for that specific client interface.  The
-      name as usual and need not treat it in any special way.
+    NAT64 prefix is a per-interface property, not a per-device
+    property.
-.  Name resolution APIs and libraries MUST recognize 'ipv4only.arpa'
+    Regardless of any manual client DNS configuration, DNS overrides
-      as special and MUST give it special treatment.
+    configured by VPN client software, or any other mechanisms that
+    influence the choice of the client's recursive resolver
+    address(es) (including client devices that run their own local
+    recursive resolver and use the loopback address as their
+    configured recursive resolver address), all queries for
+    'ipv4only.arpa' and any subdomains of that name MUST be sent to
+    the recursive resolver learned from the network interface in
+    question via IPv6 Router Advertisement Options for DNS
+    Configuration [[RFC8106]], DNS Configuration options for DHCPv6
+    [[RFC3646]], or other configuration mechanisms.  Because DNS
+    queries for 'ipv4only.arpa' are actually a special middlebox
+    communication protocol, it is essential that they go to the
+    correct middlebox for the interface in question, and failure to
+    honor this requirement would cause failure of the NAT64 Prefix
+    Discovery mechanism [[RFC7050]].
-      Learning a network's NAT64 prefix is, by its nature, an
+    One implication of this is that, on multihomed devices (devices
-      interface-specific operation, and the special DNS query used to
+    that allow more than one logical or physical IP interface to be
-      learn this interface-specific NAT64 prefix MUST be sent to the
+    active at the same time, e.g., cellular data and Wi-Fi, or one
-      DNS recursive resolver address(es) the client learned via the
+    physical interface plus a VPN connection), clients MUST use
-      configuration machinery for that specific client interface.  The
+    interface-aware name resolution APIs.  On different (logical or
-      NAT64 prefix is a per-interface property, not a per-device
+    physical) interfaces, different DNS64 answers may be received,
-      property.
+    and DNS64 answers are only valid for the interface on which they
+    were received.  On multihomed devices (including devices that
+    support VPN), name resolution APIs that do not include interface
+    parameters will not work reliably with NAT64.  On single-homed
+    devices, interface-unaware name resolution APIs are acceptable
+    since when only one interface can be active at a time, there is
+    no need to specify an interface.
-      Regardless of any manual client DNS configuration, DNS overrides
+    DNSSEC-capable resolvers MUST NOT attempt to validate answers
-      configured by VPN client software, or any other mechanisms that
+    received in response to queries for the IPv6 AAAA address records
-      influence the choice of the client's recursive resolver
+    for 'ipv4only.arpa' since, by definition, any such answers are
-      address(es) (including client devices that run their own local
+    generated by the local network's DNS64/NAT64 gateway, not the
-      recursive resolver and use the loopback address as their
+    authoritative server responsible for that name.
-      configured recursive resolver address), all queries for
-      'ipv4only.arpa' and any subdomains of that name MUST be sent to
-      the recursive resolver learned from the network interface in
-      question via IPv6 Router Advertisement Options for DNS
-      Configuration [RFC8106], DNS Configuration options for DHCPv6
-      [RFC3646], or other configuration mechanisms.  Because DNS
-      queries for 'ipv4only.arpa' are actually a special middlebox
-      communication protocol, it is essential that they go to the
-      correct middlebox for the interface in question, and failure to
-      honor this requirement would cause failure of the NAT64 Prefix
-      Discovery mechanism [RFC7050].
-      One implication of this is that, on multihomed devices (devices
+.  For the purposes of this section, recursive resolvers fall into
-      that allow more than one logical or physical IP interface to be
+    two categories.  The first category is traditional recursive
-      active at the same time, e.g., cellular data and Wi-Fi, or one
+    resolvers, which includes *forwarding* recursive resolvers, as
-      physical interface plus a VPN connection), clients MUST use
+    commonly implemented in residential home gateways, and
-      interface-aware name resolution APIs.  On different (logical or
+    *iterative* recursive resolvers, as commonly deployed by ISPs.
-      physical) interfaces, different DNS64 answers may be received,
+    The second category is DNS64 recursive resolvers, whose purpose
-      and DNS64 answers are only valid for the interface on which they
+    is to synthesize IPv6 address records.  These may be *forwarding*
-      were received.  On multihomed devices (including devices that
+    DNS64 recursive resolvers or *iterative* DNS64 recursive
-      support VPN), name resolution APIs that do not include interface
+    resolvers, and they work in partnership with a companion NAT64
-      parameters will not work reliably with NAT64.  On single-homed
+    gateway to communicate the appropriate NAT64 address synthesis
-      devices, interface-unaware name resolution APIs are acceptable
+    prefix to clients.  More information on these terms can be found
-      since when only one interface can be active at a time, there is
+    in the DNS Terminology document [[RFC8499]].
-      no need to specify an interface.
-      DNSSEC-capable resolvers MUST NOT attempt to validate answers
+    Traditional forwarding recursive resolvers SHOULD NOT recognize
-      received in response to queries for the IPv6 AAAA address records
+    'ipv4only.arpa' as special or give that name, or subdomains of
-      for 'ipv4only.arpa' since, by definition, any such answers are
+    that name, any special treatment.  The rationale for this is that
-      generated by the local network's DNS64/NAT64 gateway, not the
+    a traditional forwarding recursive resolver, such as built in to
-      authoritative server responsible for that name.
+    a residential home gateway, may itself be downstream of a DNS64
+    recursive resolver.  Passing through the 'ipv4only.arpa' queries
+    to the upstream DNS64 recursive resolver will allow the correct
+    NAT64 prefix to be discovered.
-.  For the purposes of this section, recursive resolvers fall into
+    Traditional iterative recursive resolvers that are not explicitly
-      two categories.  The first category is traditional recursive
+    configured to synthesize IPv6 prefixes on behalf of a companion
-      resolvers, which includes *forwarding* recursive resolvers, as
+    NAT64 gateway need not recognize 'ipv4only.arpa' as special or
-      commonly implemented in residential home gateways, and
+    take any special action.
-      *iterative* recursive resolvers, as commonly deployed by ISPs.
-      The second category is DNS64 recursive resolvers, whose purpose
-      is to synthesize IPv6 address records.  These may be *forwarding*
-      DNS64 recursive resolvers or *iterative* DNS64 recursive
-      resolvers, and they work in partnership with a companion NAT64
-      gateway to communicate the appropriate NAT64 address synthesis
-      prefix to clients.  More information on these terms can be found
-      in the DNS Terminology document [RFC8499].
-      Traditional forwarding recursive resolvers SHOULD NOT recognize
+    Forwarding or iterative recursive resolvers that have been
-      'ipv4only.arpa' as special or give that name, or subdomains of
+    explicitly configured to perform DNS64 address synthesis in
-      that name, any special treatment.  The rationale for this is that
+    support of a companion NAT64 gateway (i.e., "DNS64 recursive
-      a traditional forwarding recursive resolver, such as built in to
+    resolvers") MUST recognize 'ipv4only.arpa' as special.  The
-      a residential home gateway, may itself be downstream of a DNS64
+    authoritative name servers for 'ipv4only.arpa' cannot be expected
-      recursive resolver.  Passing through the 'ipv4only.arpa' queries
+    to know the local network's NAT64 address synthesis prefix, so
-      to the upstream DNS64 recursive resolver will allow the correct
+    consulting the authoritative name servers for IPv6 address
-      NAT64 prefix to be discovered.
+    records for 'ipv4only.arpa' is futile.  All DNS64 recursive
+    resolvers MUST recognize 'ipv4only.arpa' (and all of its
+    subdomains) as special, and they MUST NOT attempt to look up NS
+    records for 'ipv4only.arpa' or otherwise query authoritative name
+    servers in an attempt to resolve this name.  Instead, DNS64
+    recursive resolvers MUST act as authoritative for this zone, by
+    generating immediate responses for all queries for
+    'ipv4only.arpa' (and any subdomain of 'ipv4only.arpa'), with the
+    one exception of queries for the DS record.  Queries for the DS
+    record are resolved the usual way to allow a client to securely
+    verify that the 'ipv4only.arpa' zone has an insecure delegation.
+    Note that this exception is not expected to receive widespread
+    usage, since any client compliant with this specification already
+    knows that 'ipv4only.arpa' is an insecure delegation and will not
+    attempt DNSSEC validation for this name.
-      Traditional iterative recursive resolvers that are not explicitly
+    DNS64 recursive resolvers MUST generate the 192.0.0.170 and
-      configured to synthesize IPv6 prefixes on behalf of a companion
+.0.0.171 responses for IPv4 address queries (DNS qtype "A"),
-      NAT64 gateway need not recognize 'ipv4only.arpa' as special or
+    the appropriate synthesized IPv6 address record responses for
-      take any special action.
+    IPv6 address queries (DNS qtype "AAAA"), and a negative
+    ("no error no answer") response for all other query types except
+    DS.
-      Forwarding or iterative recursive resolvers that have been
+    For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers
-      explicitly configured to perform DNS64 address synthesis in
+    MUST generate immediate NXDOMAIN responses.  All names falling
-      support of a companion NAT64 gateway (i.e., "DNS64 recursive
+    below 'ipv4only.arpa' are defined to be nonexistent.
-      resolvers") MUST recognize 'ipv4only.arpa' as special.  The
-      authoritative name servers for 'ipv4only.arpa' cannot be expected
-      to know the local network's NAT64 address synthesis prefix, so
-      consulting the authoritative name servers for IPv6 address
-      records for 'ipv4only.arpa' is futile.  All DNS64 recursive
-      resolvers MUST recognize 'ipv4only.arpa' (and all of its
-      subdomains) as special, and they MUST NOT attempt to look up NS
-      records for 'ipv4only.arpa' or otherwise query authoritative name
-      servers in an attempt to resolve this name.  Instead, DNS64
-      recursive resolvers MUST act as authoritative for this zone, by
-      generating immediate responses for all queries for
-      'ipv4only.arpa' (and any subdomain of 'ipv4only.arpa'), with the
-      one exception of queries for the DS record.  Queries for the DS
-      record are resolved the usual way to allow a client to securely
-      verify that the 'ipv4only.arpa' zone has an insecure delegation.
-      Note that this exception is not expected to receive widespread
-      usage, since any client compliant with this specification already
-      knows that 'ipv4only.arpa' is an insecure delegation and will not
-      attempt DNSSEC validation for this name.
-      DNS64 recursive resolvers MUST generate the 192.0.0.170 and
+    An example configuration for BIND 9 showing how to achieve the
-.0.0.171 responses for IPv4 address queries (DNS qtype "A"),
+    desired result is given in Appendix A.
-      the appropriate synthesized IPv6 address record responses for
-      IPv6 address queries (DNS qtype "AAAA"), and a negative
-      ("no error no answer") response for all other query types except
-      DS.
-      For all subdomains of 'ipv4only.arpa', DNS64 recursive resolvers
+    Note that this is *not* a locally served zone in the usual sense
-      MUST generate immediate NXDOMAIN responses.  All names falling
+    of that term [[RFC6303]] because this rule applies *only* to DNS64
-      below 'ipv4only.arpa' are defined to be nonexistent.
+    recursive resolvers, not to traditional forwarding or iterative
+    recursive resolvers.
-      An example configuration for BIND 9 showing how to achieve the
+.  Authoritative name server software need not recognize
-      desired result is given in Appendix A.
+    'ipv4only.arpa' as special or handle it in any special way.
-      Note that this is *not* a locally served zone in the usual sense
+.  Generally speaking, operators of authoritative name servers need
-      of that term [RFC6303] because this rule applies *only* to DNS64
+    not know anything about the name 'ipv4only.arpa', just as they do
-      recursive resolvers, not to traditional forwarding or iterative
+    not need to know anything about any other names they are not
-      recursive resolvers.
+    responsible for.  Only the administrators of the 'arpa' namespace
+    need to be aware of this name's purpose and how it should be
+    configured.  In particular, 'ipv4only.arpa' MUST have the
+    required records, and MUST be an insecure delegation, to allow
+    DNS64 recursive resolvers to create synthesized AAAA answers
+    within that zone.  Making the 'ipv4only.arpa' zone a secure
+    delegation would make it impossible for DNS64 recursive resolvers
+    to create synthesized AAAA answers that will be accepted by
+    DNSSEC validating clients, thereby defeating the entire purpose
+    of the 'ipv4only.arpa' name.
-.  Authoritative name server software need not recognize
+.  DNS Registries/Registrars need not know anything about the name
-      'ipv4only.arpa' as special or handle it in any special way.
+    'ipv4only.arpa', just as they do not need to know anything about
+    any other name they are not responsible for.
-.  Generally speaking, operators of authoritative name servers need
+=== Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa' ===
-      not know anything about the name 'ipv4only.arpa', just as they do
-      not need to know anything about any other names they are not
-      responsible for.  Only the administrators of the 'arpa' namespace
-      need to be aware of this name's purpose and how it should be
-      configured.  In particular, 'ipv4only.arpa' MUST have the
-      required records, and MUST be an insecure delegation, to allow
-      DNS64 recursive resolvers to create synthesized AAAA answers
-      within that zone.  Making the 'ipv4only.arpa' zone a secure
-      delegation would make it impossible for DNS64 recursive resolvers
-      to create synthesized AAAA answers that will be accepted by
-      DNSSEC validating clients, thereby defeating the entire purpose
-      of the 'ipv4only.arpa' name.
-.  DNS Registries/Registrars need not know anything about the name
+Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to
-      'ipv4only.arpa', just as they do not need to know anything about
+be special, and are listed in the IANA IPv4 Special-Purpose Address
-      any other name they are not responsible for.
+Registry [SUv4], the corresponding reverse mapping names in the
+in-addr.arpa domain are similarly special.
-.2.  Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa'
+The name '170.0.0.192.in-addr.arpa' is defined, by IETF specification
+[[RFC7050]], to have only one DNS record, type PTR, with rdata
+'ipv4only.arpa'.
-  Since the IPv4 addresses 192.0.0.170 and 192.0.0.171 are defined to
+The name '171.0.0.192.in-addr.arpa' is defined, by IETF specification
-  be special, and are listed in the IANA IPv4 Special-Purpose Address
+[[RFC7050]], to have only one DNS record, type PTR, with rdata
-  Registry [SUv4], the corresponding reverse mapping names in the
+'ipv4only.arpa'.
-  in-addr.arpa domain are similarly special.
-  The name '170.0.0.192.in-addr.arpa' is defined, by IETF specification
+There are no subdomains of '170.0.0.192.in-addr.arpa' or
-  [RFC7050], to have only one DNS record, type PTR, with rdata
+'171.0.0.192.in-addr.arpa'.  All names falling below these names are
-  'ipv4only.arpa'.
+defined to be nonexistent (NXDOMAIN).
-  The name '171.0.0.192.in-addr.arpa' is defined, by IETF specification
+Practically speaking, these two names are rarely used, but to the
-  [RFC7050], to have only one DNS record, type PTR, with rdata
+extent that they may be, they are special only to resolver APIs and
-  'ipv4only.arpa'.
+libraries, as described in item 3 below:
-  There are no subdomains of '170.0.0.192.in-addr.arpa' or
+.  Normal users should never have reason to encounter these two
-  '171.0.0.192.in-addr.arpa'.  All names falling below these names are
+    reverse mapping names.  However, if they do, queries for these
-  defined to be nonexistent (NXDOMAIN).
+    reverse mapping names should return the expected answer
+    'ipv4only.arpa'.  Normal users have no need to know that these
+    reverse mapping names are special.
-  Practically speaking, these two names are rarely used, but to the
+.  Application software SHOULD NOT recognize these two reverse
-  extent that they may be, they are special only to resolver APIs and
+    mapping names as special and SHOULD NOT treat them differently.
-  libraries, as described in item 3 below:
+    For example, if the user were to issue the Unix command
+    "host 192.0.0.170", then the "host" command should call the name
+    resolution API or library as usual and display the result that is
+    returned.
-.  Normal users should never have reason to encounter these two
+.  Name resolution APIs and libraries SHOULD recognize these two
-      reverse mapping names.  However, if they do, queries for these
+    reverse mapping names as special and generate the required
-      reverse mapping names should return the expected answer
+    responses locally.  For the names '170.0.0.192.in-addr.arpa' and
-      'ipv4only.arpa'.  Normal users have no need to know that these
+    '171.0.0.192.in-addr.arpa', PTR queries yield the result
-      reverse mapping names are special.
+    'ipv4only.arpa'; all other query types yield a negative
+    ("no error no answer") response.  For all subdomains of these two
+    reverse mapping domains, all queries yield an NXDOMAIN response.
+    All names falling below these two reverse mapping domains are
+    defined to be nonexistent.
-.  Application software SHOULD NOT recognize these two reverse
+    This local self-contained generation of these responses is to
-      mapping names as special and SHOULD NOT treat them differently.
+    avoid placing unnecessary load on the authoritative
-      For example, if the user were to issue the Unix command
+    'in-addr.arpa' name servers.
-      "host 192.0.0.170", then the "host" command should call the name
-      resolution API or library as usual and display the result that is
-      returned.
-.  Name resolution APIs and libraries SHOULD recognize these two
+.  Recursive resolvers SHOULD NOT recognize these two reverse
-      reverse mapping names as special and generate the required
+    mapping names as special and SHOULD NOT, by default, give them
-      responses locally.  For the names '170.0.0.192.in-addr.arpa' and
+    any special treatment.
-      '171.0.0.192.in-addr.arpa', PTR queries yield the result
-      'ipv4only.arpa'; all other query types yield a negative
-      ("no error no answer") response.  For all subdomains of these two
-      reverse mapping domains, all queries yield an NXDOMAIN response.
-      All names falling below these two reverse mapping domains are
-      defined to be nonexistent.
-      This local self-contained generation of these responses is to
+.  Authoritative name server software need not recognize these two
-      avoid placing unnecessary load on the authoritative
+    reverse mapping names as special or handle them in any special
-      'in-addr.arpa' name servers.
+    way.
-.  Recursive resolvers SHOULD NOT recognize these two reverse
+.  Generally speaking, most operators of authoritative name servers
-      mapping names as special and SHOULD NOT, by default, give them
+    need not know anything about these two reverse mapping names,
-      any special treatment.
+    just as they do not need to know anything about any other names
+    they are not responsible for.  Only the operators of the
+    authoritative name servers for these two reverse mapping names
+    need to be aware that these names are special, and require fixed
+    answers specified by IETF specification.
-.  Authoritative name server software need not recognize these two
+.  DNS Registries/Registrars need not know anything about these two
-      reverse mapping names as special or handle them in any special
+    reverse mapping names, just as they do not need to know anything
-      way.
+    about any other name they are not responsible for.
-.  Generally speaking, most operators of authoritative name servers
+==== ip6.arpa Reverse Mapping PTR Records ====
-      need not know anything about these two reverse mapping names,
-      just as they do not need to know anything about any other names
-      they are not responsible for.  Only the operators of the
-      authoritative name servers for these two reverse mapping names
-      need to be aware that these names are special, and require fixed
-      answers specified by IETF specification.
-.  DNS Registries/Registrars need not know anything about these two
+For all IPv6 addresses synthesized by a DNS64 recursive resolver, the
-      reverse mapping names, just as they do not need to know anything
+DNS64 recursive resolver is responsible for synthesizing the
-      about any other name they are not responsible for.
+appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses
+to provide reverse mapping PTR records.  The same applies to the
+synthesized IPv6 addresses corresponding to the IPv4 addresses
+.0.0.170 and 192.0.0.171.
-.2.1.  ip6.arpa Reverse Mapping PTR Records
+Generally, a DNS64 recursive resolver synthesizes appropriate
+'ip6.arpa' reverse mapping PTR records by extracting the embedded
+IPv4 address from the encoded IPv6 address, performing a reverse
+mapping PTR query for that IPv4 address, and then synthesizing a
+corresponding 'ip6.arpa' reverse mapping PTR record containing the
+same rdata.
-  For all IPv6 addresses synthesized by a DNS64 recursive resolver, the
+In the case of synthesized IPv6 addresses corresponding to the IPv4
-  DNS64 recursive resolver is responsible for synthesizing the
+addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver
-  appropriate 'ip6.arpa' reverse mapping PTR records too, if it chooses
+does not issue reverse mapping queries for those IPv4 addresses, but
-  to provide reverse mapping PTR records.  The same applies to the
+instead, according to rule 3 above, immediately returns the answer
-  synthesized IPv6 addresses corresponding to the IPv4 addresses
+'ipv4only.arpa'.
-.0.0.170 and 192.0.0.171.
-  Generally, a DNS64 recursive resolver synthesizes appropriate
+In the case of a client that uses the 'ipv4only.arpa' query to
-  'ip6.arpa' reverse mapping PTR records by extracting the embedded
+discover the IPv6 prefixes in use by the local NAT64 gateway, and
-  IPv4 address from the encoded IPv6 address, performing a reverse
+then proceeds to perform its own address synthesis locally (which has
-  mapping PTR query for that IPv4 address, and then synthesizing a
+benefits such as allowing DNSSEC validation), that client MUST also
-  corresponding 'ip6.arpa' reverse mapping PTR record containing the
+synthesize 'ip6.arpa' reverse mapping PTR records for those
-  same rdata.
+discovered prefix(es), according to the rules above: When a client's
+name resolution APIs and libraries receive a request to look up an
+'ip6.arpa' reverse mapping PTR record for an address that falls
+within one of the discovered NAT64 address synthesis prefixes, the
+software extracts the embedded IPv4 address and then, for IPv4
+addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer
+'ipv4only.arpa', and for all other IPv4 addresses, performs a reverse
+mapping PTR query for the IPv4 address and then synthesizes a
+corresponding 'ip6.arpa' reverse mapping PTR record containing the
+same rdata.
-  In the case of synthesized IPv6 addresses corresponding to the IPv4
+== References ==
-  addresses 192.0.0.170 and 192.0.0.171, the DNS64 recursive resolver
-  does not issue reverse mapping queries for those IPv4 addresses, but
-  instead, according to rule 3 above, immediately returns the answer
-  'ipv4only.arpa'.
-  In the case of a client that uses the 'ipv4only.arpa' query to
-  discover the IPv6 prefixes in use by the local NAT64 gateway, and
-  then proceeds to perform its own address synthesis locally (which has
-  benefits such as allowing DNSSEC validation), that client MUST also
-  synthesize 'ip6.arpa' reverse mapping PTR records for those
-  discovered prefix(es), according to the rules above: When a client's
-  name resolution APIs and libraries receive a request to look up an
-  'ip6.arpa' reverse mapping PTR record for an address that falls
-  within one of the discovered NAT64 address synthesis prefixes, the
-  software extracts the embedded IPv4 address and then, for IPv4
-  addresses 192.0.0.170 and 192.0.0.171, returns the fixed answer
-  'ipv4only.arpa', and for all other IPv4 addresses, performs a reverse
-  mapping PTR query for the IPv4 address and then synthesizes a
-  corresponding 'ip6.arpa' reverse mapping PTR record containing the
-  same rdata.
-.  References
-.1.  Normative References
+=== Normative References ===
-  [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+[[RFC2119]]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119,
+          Requirement Levels", [[BCP14|BCP 14]], [[RFC2119|RFC 2119]],
-              DOI 10.17487/RFC2119, March 1997,
+          DOI 10.17487/RFC2119, March 1997,
-              <https://www.rfc-editor.org/info/rfc2119>.
+          <https://www.rfc-editor.org/info/rfc2119>.
-  [RFC3646]  Droms, R., Ed., "DNS Configuration options for Dynamic
+[[RFC3646]]  Droms, R., Ed., "DNS Configuration options for Dynamic
-              Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
+          Host Configuration Protocol for IPv6 (DHCPv6)", [[RFC3646|RFC 3646]],
-              DOI 10.17487/RFC3646, December 2003,
+          DOI 10.17487/RFC3646, December 2003,
-              <https://www.rfc-editor.org/info/rfc3646>.
+          <https://www.rfc-editor.org/info/rfc3646>.
-  [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
+[[RFC6146]]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
-              NAT64: Network Address and Protocol Translation from IPv6
+          NAT64: Network Address and Protocol Translation from IPv6
-              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
+          Clients to IPv4 Servers", [[RFC6146|RFC 6146]], DOI 10.17487/RFC6146,
-              April 2011, <https://www.rfc-editor.org/info/rfc6146>.
+          April 2011, <https://www.rfc-editor.org/info/rfc6146>.
-  [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
+[[RFC6147]]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
-              Beijnum, "DNS64: DNS Extensions for Network Address
+          Beijnum, "DNS64: DNS Extensions for Network Address
-              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
+          Translation from IPv6 Clients to IPv4 Servers", [[RFC6147|RFC 6147]],
-              DOI 10.17487/RFC6147, April 2011,
+          DOI 10.17487/RFC6147, April 2011,
-              <https://www.rfc-editor.org/info/rfc6147>.
+          <https://www.rfc-editor.org/info/rfc6147>.
-  [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
+[[RFC6761]]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
-              RFC 6761, DOI 10.17487/RFC6761, February 2013,
+          [[RFC6761|RFC 6761]], DOI 10.17487/RFC6761, February 2013,
-              <https://www.rfc-editor.org/info/rfc6761>.
+          <https://www.rfc-editor.org/info/rfc6761>.
-  [RFC7050]  Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
+[[RFC7050]]  Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
-              the IPv6 Prefix Used for IPv6 Address Synthesis",
+          the IPv6 Prefix Used for IPv6 Address Synthesis",
-              RFC 7050, DOI 10.17487/RFC7050, November 2013,
+          [[RFC7050|RFC 7050]], DOI 10.17487/RFC7050, November 2013,
-              <https://www.rfc-editor.org/info/rfc7050>.
+          <https://www.rfc-editor.org/info/rfc7050>.
-  [RFC8106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
+[[RFC8106]]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
-              "IPv6 Router Advertisement Options for DNS Configuration",
+          "IPv6 Router Advertisement Options for DNS Configuration",
-              RFC 8106, DOI 10.17487/RFC8106, March 2017,
+          [[RFC8106|RFC 8106]], DOI 10.17487/RFC8106, March 2017,
-              <https://www.rfc-editor.org/info/rfc8106>.
+          <https://www.rfc-editor.org/info/rfc8106>.
-  [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+[[RFC8174]]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
-Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+Key Words", [[BCP14|BCP 14]], [[RFC8174|RFC 8174]], DOI 10.17487/RFC8174,
-              May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+          May 2017, <https://www.rfc-editor.org/info/rfc8174>.
-.2.  Informative References
+=== Informative References ===
-  [RFC6303]  Andrews, M., "Locally Served DNS Zones", BCP 163,
+[[RFC6303]]  Andrews, M., "Locally Served DNS Zones", [[BCP163|BCP 163]],
-              RFC 6303, DOI 10.17487/RFC6303, July 2011,
+          [[RFC6303|RFC 6303]], DOI 10.17487/RFC6303, July 2011,
-              <https://www.rfc-editor.org/info/rfc6303>.
+          <https://www.rfc-editor.org/info/rfc6303>.
-  [RFC8244]  Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain
+[[RFC8244]]  Lemon, T., Droms, R., and W. Kumari, "Special-Use Domain
-              Names Problem Statement", RFC 8244, DOI 10.17487/RFC8244,
+          Names Problem Statement", [[RFC8244|RFC 8244]], DOI 10.17487/RFC8244,
-              October 2017, <https://www.rfc-editor.org/info/rfc8244>.
+          October 2017, <https://www.rfc-editor.org/info/rfc8244>.
-  [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+[[RFC8499]]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
-              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
+          Terminology", [[BCP219|BCP 219]], [[RFC8499|RFC 8499]], DOI 10.17487/RFC8499,
-              January 2019, <https://www.rfc-editor.org/info/rfc8499>.
+          January 2019, <https://www.rfc-editor.org/info/rfc8499>.
-  [SUDN]    IANA, "Special-Use Domain Names",
+[SUDN]    IANA, "Special-Use Domain Names",
-              <https://www.iana.org/assignments/special-use-domain-
+          <https://www.iana.org/assignments/special-use-domain-
-              names/>.
+          names/>.
-  [SUv4]    IANA, "IANA IPv4 Special-Purpose Address Registry",
+[SUv4]    IANA, "IANA IPv4 Special-Purpose Address Registry",
-              <https://www.iana.org/assignments/iana-ipv4-special-
+          <https://www.iana.org/assignments/iana-ipv4-special-
-              registry/>.
+          registry/>.
-  [DNS1]    Cloudflare, "1.1.1.1 - The free app that makes your
+[DNS1]    Cloudflare, "1.1.1.1 - The free app that makes your
-              Internet safer.", <https://1.1.1.1/>.
+          Internet safer.", <https://1.1.1.1/>.
-  [DNS8]    Google, "Google Public DNS",
+[DNS8]    Google, "Google Public DNS",
-              <https://developers.google.com/speed/public-dns/>.
+          <https://developers.google.com/speed/public-dns/>.
-  [DNS9]    Quad9, "Internet Security and Privacy In a Few Easy
+[DNS9]    Quad9, "Internet Security and Privacy In a Few Easy
-              Steps", <https://quad9.net/>.
+          Steps", <https://quad9.net/>.
 Appendix A.  Example BIND 9 Configuration
-  A BIND 9 recursive resolver can be configured to act as authoritative
+A BIND 9 recursive resolver can be configured to act as authoritative
-  for the necessary DNS64 names as described below.
+for the necessary DNS64 names as described below.
-  In /etc/named.conf, the following line is added:
+In /etc/named.conf, the following line is added:
-      zone "ipv4only.arpa"            { type master; file "ipv4only"; };
+  zone "ipv4only.arpa"            { type master; file "ipv4only"; };
-  The file /var/named/ipv4only is created with the following content:
+The file /var/named/ipv4only is created with the following content:
-      $TTL 86400              ; Default TTL 24 hours
+  $TTL 86400              ; Default TTL 24 hours
-      @ IN SOA nameserver.example. admin.nameserver.example. (
+  @ IN SOA nameserver.example. admin.nameserver.example. (
-              2016052400      ; Serial
+            2016052400      ; Serial
             ; Refresh ( 7200 = 2 hours)
             ; Retry  ( 3600 = 1 hour)
-              15724800        ; Expire  (15724800 = 6 months)
+            15724800        ; Expire  (15724800 = 6 months)
               ; Minimum
-              )
+            )
-      @ IN NS  nameserver.example.
+  @ IN NS  nameserver.example.
-      @ IN A    192.0.0.170
+  @ IN A    192.0.0.170
-      @ IN A    192.0.0.171
+  @ IN A    192.0.0.171
-      @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix
+  @ IN AAAA 64:ff9b::192.0.0.170 ; If not using Well-Known Prefix
-      @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here
+  @ IN AAAA 64:ff9b::192.0.0.171 ; place chosen NAT64 prefix here
 Acknowledgements
-  Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for
+Thanks to Jouni Korhonen, Teemu Savolainen, and Dan Wing, for
-  devising the NAT64 Prefix Discovery mechanism [RFC7050] and for their
+devising the NAT64 Prefix Discovery mechanism [[RFC7050]] and for their
-  feedback on this document.
+feedback on this document.
-  Thanks to Geoff Huston for his feedback on this document.
+Thanks to Geoff Huston for his feedback on this document.
-  Thanks to Erik Kline for pointing out that the in-addr.arpa names are
+Thanks to Erik Kline for pointing out that the in-addr.arpa names are
-  special, too.
+special, too.
-  Thanks to Mark Andrews for conclusively pointing out the reasons why
+Thanks to Mark Andrews for conclusively pointing out the reasons why
-  the 'ipv4only.arpa' zone must be an insecure delegation in order for
+the 'ipv4only.arpa' zone must be an insecure delegation in order for
-  the NAT64 Prefix Discovery mechanism [RFC7050] to work and for many
+the NAT64 Prefix Discovery mechanism [[RFC7050]] to work and for many
-  other very helpful comments.
+other very helpful comments.
-  Thanks particularly to Lorenzo Colitti for an especially spirited
+Thanks particularly to Lorenzo Colitti for an especially spirited
-  hallway discussion at IETF 96 in Berlin, which lead directly to
+hallway discussion at IETF 96 in Berlin, which lead directly to
-  significant improvements in how this document presents the issues.
+significant improvements in how this document presents the issues.
-  Thanks to Scott Bradner, Bernie Volz, Barry Leiba, Mirja Kuehlewind,
+Thanks to Scott Bradner, Bernie Volz, Barry Leiba, Mirja Kuehlewind,
-  Suresh Krishnan, Benjamin Kaduk, Roman Danyliw, Eric Vyncke, and the
+Suresh Krishnan, Benjamin Kaduk, Roman Danyliw, Eric Vyncke, and the
-  other IESG reviewers for their thoughtful feedback.
+other IESG reviewers for their thoughtful feedback.
-  Thanks to Dave Thaler and Warren Kumari for generously helping
+Thanks to Dave Thaler and Warren Kumari for generously helping
-  shepherd this document through the publication process.
+shepherd this document through the publication process.
 Authors' Addresses
-  Stuart Cheshire
+Stuart Cheshire
-  Apple Inc.
+Apple Inc.
-  One Apple Park Way
+One Apple Park Way
-  Cupertino, California 95014
+Cupertino, California 95014
-  United States of America
+United States of America
-  Phone: +1 (408) 996-1010
+Phone: +1 (408) 996-1010
-  Email: [email protected]
+Email: [email protected]
+David Schinazi
+Google LLC
+Amphitheatre Parkway
+Mountain View, California 94043
+United States of America
-  David Schinazi
+Email: [email protected]
-  Google LLC
-Amphitheatre Parkway
-  Mountain View, California 94043
-  United States of America
-  Email: [email protected]
+[[Category:Standards Track]]

Anonymous

Search

Difference between revisions of "RFC8880"

Latest revision as of 11:25, 30 October 2020

Contents

Introduction

Conventions and Terminology

Reasons to Declare 'ipv4only.arpa' as Special

Consequences of 'ipv4only.arpa' Not Being Declared Special

Consequences for Name Resolution APIs and Libraries

Consequences for DNS64 Implementations

Remedies

Security Considerations

IANA Considerations

Domain Name Reservation Considerations

Special Use Domain Name 'ipv4only.arpa'

Names '170.0.0.192.in-addr.arpa' and '171.0.0.192.in-addr.arpa'

ip6.arpa Reverse Mapping PTR Records

References

Normative References

Informative References

Navigation

Wiki tools

Page tools

Categories