| 24 Jun 2025 |
 emily | (well, "CLAT or local DNS64 expected") | 13:06:23 |
| emily | (in some ways the latter is nicer if you can get away with it since you can get rid of kernel v4 stack) | 13:06:35 |
 hexa | lol multicast_to_unicast in hostapd | 13:06:57 |
| emily | (but I do not love non-local DNS64 because I still hold on to childish delusions about the end-to-end principle and DNSSEC) | 13:07:00 |
| hexa | dns64 is dead | 13:07:09 |
| hexa | 464xlat or else | 13:07:14 |
| hexa | let me enable that and report back ð | 13:07:39 |
| emily | "dead" seems a bit strong :) | 13:07:48 |
| hexa | as a standard it is ð | 13:08:07 |
| hexa | in the lineage of ipv6 transition mechanisms | 13:08:18 |
| emily | I don't think so? ipv6only.arpa was soft-deprecated | 13:08:23 |
| emily | but that's just a discovery mechanism | 13:08:27 |
| emily | if you do DNS64 locally, you still get end-to-end DNSSEC validation, and your kernel does not need a v4 stack at all, which is nice in terms of attack service and complexity | 13:08:41 |
| emily | but of course it breaks socket APIs | 13:08:45 |
| hexa | if your client validates dnssec that breaks | 13:09:08 |
| emily | no, because the client that validates DNSSEC is the one doing the DNS64 | 13:09:40 |
| emily | i.e. you get your local resolver to do the DNS64, after validation | 13:09:47 |
| emily | or do you mean non-DNS-resolver applications directly doing recursive DNSSEC validation on results from a local resolver? do those exist? | 13:10:13 |
| hexa | then you also need to dnat dns requests to your resolver ðĪŠ | 13:10:21 |
| emily | I've only seen the setup where you run a loopback resolver and downstream applications trust the bit | 13:10:26 |
| hexa | resolvers can use local and recursive options opportunistically | 13:10:57 |
| emily | well I am assuming you have an outside resolver you can access over v6 here rather than doing full local recursive resolution yeah | 13:11:12 |
| emily | (but still doing the DNSSEC validation queries) | 13:11:27 |
| hexa | I would really just stop doing DNS64 altogether | 13:11:59 |
| emily | as in the setup "local resolver that validates DNSSEC and rewrites to DNS64 âv6 DoH3â recursive resolver" | 13:12:06 |
| emily | sure. but then you have to "start" doing kernel v4 stack | 13:12:22 |
| hexa | and I would also not switch off ipv4 from one day to anotherr | 13:12:27 |
| emily | which does negate some of the security/complexity advantages of v6 | 13:12:34 |
| emily | even if the packets never leave the machine | 13:12:47 |
| emily | anyway for desktop machines I would just do CLAT because ping 8.8.8.8 not working is too annoying and random software has dumb expectations | 13:13:28 |
