| 24 Jun 2025 |
 emily | I was on a Pixel 3 last yearβ¦ π€ͺ | 13:04:13 |
| emily | that's annoying though | 13:04:29 |
| emily | I thought Android was pretty good at v6 at this point | 13:04:40 |
| emily | is it specifically that it forgets it's v6-only? | 13:04:49 |
 hexa | it drops multicast/broadcast frames while asleep | 13:05:14 |
| hexa | so dhcp renewals work, but ndp breaks | 13:05:38 |
| emily | my hope is that I can tier things like v6 only and CLAT expected β v6 only and DNS64 server advertised β dual stack | 13:05:49 |
| hexa | https://mailarchive.ietf.org/arch/msg/ipv6/QgHnYoT8-ur4epJHUNflrsh7sA4/ | 13:05:54 |
| emily | and hopefully delay introducing the latter two as long as possible | 13:05:55 |
| hexa |
NOTE: some good access points do b/mcast to unicast conversion, and
send everything as unicast. This is much more common in enterprise
wifi gear. This solves the mcast loss problem entirely.
| 13:06:02 |
| hexa | π€ | 13:06:07 |
| emily | (well, "CLAT or local DNS64 expected") | 13:06:23 |
| emily | (in some ways the latter is nicer if you can get away with it since you can get rid of kernel v4 stack) | 13:06:35 |
| hexa | lol multicast_to_unicast in hostapd | 13:06:57 |
| emily | (but I do not love non-local DNS64 because I still hold on to childish delusions about the end-to-end principle and DNSSEC) | 13:07:00 |
| hexa | dns64 is dead | 13:07:09 |
| hexa | 464xlat or else | 13:07:14 |
| hexa | let me enable that and report back π | 13:07:39 |
| emily | "dead" seems a bit strong :) | 13:07:48 |
| hexa | as a standard it is π | 13:08:07 |
| hexa | in the lineage of ipv6 transition mechanisms | 13:08:18 |
| emily | I don't think so? ipv6only.arpa was soft-deprecated | 13:08:23 |
| emily | but that's just a discovery mechanism | 13:08:27 |
| emily | if you do DNS64 locally, you still get end-to-end DNSSEC validation, and your kernel does not need a v4 stack at all, which is nice in terms of attack service and complexity | 13:08:41 |
| emily | but of course it breaks socket APIs | 13:08:45 |
| hexa | if your client validates dnssec that breaks | 13:09:08 |
| emily | no, because the client that validates DNSSEC is the one doing the DNS64 | 13:09:40 |
| emily | i.e. you get your local resolver to do the DNS64, after validation | 13:09:47 |
| emily | or do you mean non-DNS-resolver applications directly doing recursive DNSSEC validation on results from a local resolver? do those exist? | 13:10:13 |
| hexa | then you also need to dnat dns requests to your resolver π€ͺ | 13:10:21 |
