starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 03:05:51 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #98] [Server] Support DNS64 (RFC 6147) #347

New issue
Open
opened 2026-03-15 22:04:59 +03:00 by kerem · 10 comments
kerem commented 2026-03-15 22:04:59 +03:00
Owner
Copy link

Originally created by @vi on GitHub (Feb 28, 2017).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/98

I struggle to find something for DNS64 that is not BIND.

Originally created by @vi on GitHub (Feb 28, 2017). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/98 I struggle to find something for DNS64 that is not BIND.
kerem commented 2026-03-15 22:05:10 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Feb 28, 2017):

I'm happy to take feature requests. I haven't had plans to support something like this, as it's not in my own use cases. It looks like a fairly strait forward implementation.

Is your plan to use this to auto-populate AAAA records for a NAT64? If so, I would see this as a magic option that could as easily be implemented with a dynamic update where on registration of the A record, you would perform the auto translation to the AAAA and IPv6 address. Is there a reason that doesn't work that I'm missing?

<!-- gh-comment-id:283132000 --> @bluejekyll commented on GitHub (Feb 28, 2017): I'm happy to take feature requests. I haven't had plans to support something like this, as it's not in my own use cases. It looks like a fairly strait forward implementation. Is your plan to use this to auto-populate AAAA records for a NAT64? If so, I would see this as a magic option that could as easily be implemented with a dynamic update where on registration of the A record, you would perform the auto translation to the AAAA and IPv6 address. Is there a reason that doesn't work that I'm missing?
kerem commented 2026-03-15 22:05:16 +03:00
Author
Owner
Copy link

@vi commented on GitHub (Feb 28, 2017):

I haven't tried to use trust-dns [yet]. Just saw that it is aimed to be BIND replacement, but also that RFC 6147 is not mentioned in README list of RFCs.

<!-- gh-comment-id:283146866 --> @vi commented on GitHub (Feb 28, 2017): I haven't tried to use trust-dns [yet]. Just saw that it is aimed to be BIND replacement, but also that RFC 6147 is not mentioned in README list of RFCs.
kerem commented 2026-03-15 22:05:21 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Mar 1, 2017):

I am definitely aiming for the project to be able to be used in the place of BIND, but I very early on decided not to make it a drop-in replacement. So it will not be 100% compatible with the BIND feature set. In this particular case, it seems like an RFC which provides value for configurations where you want some type of server logic to kick in to auto response to AAAA for NAT64 setups.

If someone requires this, I'll consider adding it, but I still fail to see why it couldn't just be part of deployment/management scripts as opposed to baked into the DNS server itself. Thanks for your interest in the project!

<!-- gh-comment-id:283467982 --> @bluejekyll commented on GitHub (Mar 1, 2017): I am definitely aiming for the project to be able to be used in the place of BIND, but I very early on decided not to make it a drop-in replacement. So it will not be 100% compatible with the BIND feature set. In this particular case, it seems like an RFC which provides value for configurations where you want some type of server logic to kick in to auto response to AAAA for NAT64 setups. If someone requires this, I'll consider adding it, but I still fail to see why it couldn't just be part of deployment/management scripts as opposed to baked into the DNS server itself. Thanks for your interest in the project!
kerem commented 2026-03-15 22:05:26 +03:00
Author
Owner
Copy link

@vi commented on GitHub (Mar 1, 2017):

Does trust-dns have executable configuration files (like in Lua or Python often have) and can be told to turn e.g. A 178.172.160.4 into AAAA fd11:1:1:ffff::b2ac:a004 where fd11:1:1:ffff:: is configurable prefix and b2ac:a004 is IPv4 address in disguise for all resolved addresses?

<!-- gh-comment-id:283474465 --> @vi commented on GitHub (Mar 1, 2017): Does trust-dns have executable configuration files (like in Lua or Python often have) and can be told to turn e.g. `A 178.172.160.4` into `AAAA fd11:1:1:ffff::b2ac:a004` where `fd11:1:1:ffff::` is configurable prefix and `b2ac:a004` is IPv4 address in disguise for all resolved addresses?
kerem commented 2026-03-15 22:05:31 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Mar 1, 2017):

The server supports dynamic DNS with SIG0 authentication. I've always imagine tools would be build around that interface to perform updates of the server. In that context, you could use any scripting language you want to manage it. I haven't considered scripted configs before, but it would be feasible... not on my road-map right now.

For example, in this case I would imagine the tool that is being used to manage the zones would be responsible for the logic you describe... The TRust-DNS client and server support atomic update operations, on a per record-set basis, which should make scripting this pretty straightforward.

<!-- gh-comment-id:283479221 --> @bluejekyll commented on GitHub (Mar 1, 2017): The server supports dynamic DNS with SIG0 authentication. I've always imagine tools would be build around that interface to perform updates of the server. In that context, you could use any scripting language you want to manage it. I haven't considered scripted configs before, but it would be feasible... not on my road-map right now. For example, in this case I would imagine the tool that is being used to manage the zones would be responsible for the logic you describe... The TRust-DNS client and server support atomic update operations, on a per record-set basis, which should make scripting this pretty straightforward.
kerem commented 2026-03-15 22:05:36 +03:00
Author
Owner
Copy link

@vi commented on GitHub (Mar 1, 2017):

DNS64 is mostly not about being authoritative DNS server for some zone, but more like a DNS proxy that also patches request on the fly, changing all IPv4 addresses into IPv6 ones for NAT64.

<!-- gh-comment-id:283485831 --> @vi commented on GitHub (Mar 1, 2017): DNS64 is mostly not about being authoritative DNS server for some zone, but more like a DNS proxy that also patches request on the fly, changing all IPv4 addresses into IPv6 ones for NAT64.
kerem commented 2026-03-15 22:05:41 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (Mar 1, 2017):

Ah, thanks for the explanation. That makes sense to me. If your look at TRust-DNS as something you want to use and this is a blocker to that, I can try and fit it into my development at a future date. I'm also happy to accept PRs.

<!-- gh-comment-id:283492569 --> @bluejekyll commented on GitHub (Mar 1, 2017): Ah, thanks for the explanation. That makes sense to me. If your look at TRust-DNS as something you want to use and this is a blocker to that, I can try and fit it into my development at a future date. I'm also happy to accept PRs.
kerem commented 2026-03-15 22:05:46 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Jan 1, 2018):

Is your plan to use this to auto-populate AAAA records for a NAT64?

I'm not the OP, but this is my plan.

If so, I would see this as a magic option that could as easily be implemented with a dynamic update where on registration of the A record, you would perform the auto translation to the AAAA and IPv6 address. Is there a reason that doesn't work that I'm missing?

Imagine that you want to NAT64/DNS64 for the entire internet: IPv6-only LAN (not dual stack) that can access IPv4-only websites. In this case we need to give every IPv4-only-site on the internet an IPv6 address. That means that ideally the recursive resolver, not the server, would implement DNS64, and it would happen on-the-fly; i.e. require no disk/memory storage. That is, the recursive resolver would cache the AAAA records and throw away the A records from which it synthesized the AAAA records.

<!-- gh-comment-id:354683357 --> @briansmith commented on GitHub (Jan 1, 2018): > Is your plan to use this to auto-populate AAAA records for a NAT64? I'm not the OP, but this is my plan. > If so, I would see this as a magic option that could as easily be implemented with a dynamic update where on registration of the A record, you would perform the auto translation to the AAAA and IPv6 address. Is there a reason that doesn't work that I'm missing? Imagine that you want to NAT64/DNS64 for the entire internet: IPv6-only LAN (not dual stack) that can access IPv4-only websites. In this case we need to give every IPv4-only-site on the internet an IPv6 address. That means that ideally the recursive resolver, not the server, would implement DNS64, and it would happen on-the-fly; i.e. require no disk/memory storage. That is, the recursive resolver would cache the AAAA records and throw away the A records from which it synthesized the AAAA records.
kerem commented 2026-03-15 22:05:51 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Jan 2, 2018):

In particular, see https://tools.ietf.org/html/rfc6144#section-3.1.4:

Static records: One could literally populate DNS with corresponding A and AAAA records. This mechanism works for scenarios 2, 3, 5, and 6.

In particular, It doesn't work for Scenerio 1 (IPv6 network to IPv4 internet), which is the scenerio I described above.

Dynamic Translation of static records: In more general operation, the preferred behavior is an A record to be (retrieved and) translated to a AAAA record by the DNS64 if and only if no reachable AAAA record exists

<!-- gh-comment-id:354695500 --> @briansmith commented on GitHub (Jan 2, 2018): In particular, see https://tools.ietf.org/html/rfc6144#section-3.1.4: > Static records: One could literally populate DNS with corresponding A and AAAA records. This mechanism works for scenarios 2, 3, 5, and 6. In particular, It doesn't work for Scenerio 1 (IPv6 network to IPv4 internet), which is the scenerio I described above. > Dynamic Translation of static records: In more general operation, the preferred behavior is an A record to be (retrieved and) translated to a AAAA record by the DNS64 if and only if no reachable AAAA record exists
kerem commented 2026-03-15 22:05:56 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (Jan 2, 2018):

It may be useful to add some knobs to this to control the behavior w.r.t. DNSSEC:

  1. Add an option to disable A -> AAAA conversion for DNSSEC-signed A records, since the AAAA records are forged. This would prevent DNSSEC-enforcing applications from breaking.
  2. Add an option to require DNSSEC-secured A records and/or secured proof of a lack of AAAA records for translation to happen.
  3. Add an option to sign synthesized AAAA records using a given key that chains to a provided root. Then a DNSSEC-enforcing application can trust the additional root to keep DNSSEC working.

#2 and #3 are complementary. I would suggest splitting out this kind of DNSSEC-stuff into a separate issue; I'm recording it here just to draw attention to the issue.

<!-- gh-comment-id:354699224 --> @briansmith commented on GitHub (Jan 2, 2018): It may be useful to add some knobs to this to control the behavior w.r.t. DNSSEC: 1. Add an option to disable A -> AAAA conversion for DNSSEC-signed A records, since the AAAA records are forged. This would prevent DNSSEC-enforcing applications from breaking. 2. Add an option to require DNSSEC-secured A records and/or secured proof of a lack of AAAA records for translation to happen. 3. Add an option to sign synthesized AAAA records using a given key that chains to a provided root. Then a DNSSEC-enforcing application can trust the additional root to keep DNSSEC working. #2 and #3 are complementary. I would suggest splitting out this kind of DNSSEC-stuff into a separate issue; I'm recording it here just to draw attention to the issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
david/conformance-dnssec-negative-tests
prepare-0.26.1
release/0.26
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#347
No description provided.