| 24 Jun 2025 |
 emily | I've only seen the setup where you run a loopback resolver and downstream applications trust the bit | 13:10:26 |
 hexa | resolvers can use local and recursive options opportunistically | 13:10:57 |
| emily | well I am assuming you have an outside resolver you can access over v6 here rather than doing full local recursive resolution yeah | 13:11:12 |
| emily | (but still doing the DNSSEC validation queries) | 13:11:27 |
| hexa | I would really just stop doing DNS64 altogether | 13:11:59 |
| emily | as in the setup "local resolver that validates DNSSEC and rewrites to DNS64 →v6 DoH3→ recursive resolver" | 13:12:06 |
| emily | sure. but then you have to "start" doing kernel v4 stack | 13:12:22 |
| hexa | and I would also not switch off ipv4 from one day to anotherr | 13:12:27 |
| emily | which does negate some of the security/complexity advantages of v6 | 13:12:34 |
| emily | even if the packets never leave the machine | 13:12:47 |
| emily | anyway for desktop machines I would just do CLAT because ping 8.8.8.8 not working is too annoying and random software has dumb expectations | 13:13:28 |
| emily | but for servers I think local DNS64 can make sense | 13:13:42 |
| emily | since you can eliminate the v4 stack entirely | 13:13:53 |
| hexa | I would start by trying v6-only-preferred and pref64 | 13:13:55 |
| hexa | and figure out what breaks | 13:14:03 |
| emily | which is after all the goal | 13:14:03 |
| hexa | because sure enough a linux today will respect v6-only-preferred, not acquire an ipv4 address and not set up a translator | 13:14:28 |
| emily | pretty sure I don't have any clients that require actual dual stack thankfully | 13:14:31 |
| emily | (but I am sure that will tragically change at some point) | 13:14:42 |
| hexa | https://git.darmstadt.ccc.de/mrmcd/infra/nixos-config/-/commit/376c9759a87362077ad6534c4823821150e3d06d | 13:14:56 |
| emily | so I think I can skip v6-mostly for now | 13:15:01 |
| hexa | we did that for an event and it broke SIP 😄 | 13:15:05 |
| emily | I think networkd fixed that bug thankfully fwiw | 13:15:18 |
| hexa | yeah, but networkmanager? | 13:15:27 |
| hexa | dhcpcd? | 13:15:29 |
| hexa | not too sure | 13:15:34 |
| emily | actually I'm getting deja vu so maybe we talked about this before :) | 13:15:35 |
| emily | does NM do it too? silly | 13:15:43 |
| hexa | probably some version did 🙂 | 13:15:54 |
| emily | it's a total misreading of the RFC to respect that flag without setting up CLAT | 13:15:55 |
