Internet DRAFT - draft-hunek-v6ops-nat64-srv
draft-hunek-v6ops-nat64-srv
IPv6 Operations M. Hunek
Internet-Draft Technical University of Liberec
Intended status: Standards Track 14 June 2023
Expires: 16 December 2023
NAT64/DNS64 detection via SRV Records
draft-hunek-v6ops-nat64-srv-05
Abstract
This document specifies how to discover the NAT64 pools and DNS
servers providing DNS64 service to the local Nodes. The discovery
made via SRV records allows the assignment of priorities to the NAT64
pools and DNS64 servers. It also allows Nodes to have different DNS
providers than NAT64 providers while providing a secure way via
DNSSEC validation of provided SRV records. This way, it allows
providing the NAT64/DNS64 services regardless of DNS operator and DNS
transport protocol.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 December 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Hunek Expires 16 December 2023 [Page 1]
�
Internet-Draft NAT64 SRV June 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Problems with Current Solutions . . . . . . . . . . . . . . . 4
3.1. DNS-based method . . . . . . . . . . . . . . . . . . . . 4
3.2. Methods based on other protocols . . . . . . . . . . . . 5
4. Local domain detection . . . . . . . . . . . . . . . . . . . 6
5. NAT64 service SRV record . . . . . . . . . . . . . . . . . . 7
6. DNS64 service SRV record . . . . . . . . . . . . . . . . . . 8
7. Node Behavior . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Interaction with other methods . . . . . . . . . . . . . 9
8. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Example of negative records . . . . . . . . . . . . . . . 14
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10. Security Considerations . . . . . . . . . . . . . . . . . . . 15
11. Normative References . . . . . . . . . . . . . . . . . . . . 15
12. Informative References . . . . . . . . . . . . . . . . . . . 16
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
The slower-than-expected adoption of IPv6 resulted in the need for
reliable transition mechanisms to shut down legacy protocols in the
early adopters' network without waiting for latecomers. Transition
mechanisms like NAT64/DNS64 or 464XLAT [RFC6877] are essential in the
transition between dual-stack networks and IPv6-only networks while
not sacrificing the accessibility of the IPv4-only services. It is
essential for these transition mechanisms to reliably and securely
detect prefixes used for translation. Failing to do so, the
IPv4-only services would not be accessible, or the traffic for these
services could be kidnapped.
Hunek Expires 16 December 2023 [Page 2]
�
Internet-Draft NAT64 SRV June 2023
There are multiple solutions for detecting NAT64 prefixes, but none
of those are without problems and can fit different applications'
needs. This document describes a new DNS-based method that could
replace the method standardized by [RFC7050] and lately updated by
[RFC8880], as this detection method is incompatible with DNSSEC and
does have unrealistic prerequisites.
This document is not proposing where the DNS64 synthesis should take
place. It only provides a secure way to transmit information about
Pref64::/n and inform a Node about the DNS recursive resolvers
providing the DNS64 service. A Node can use such information to
perform DNS64 synthesis locally, set up the CLAT portion of the
464XLAT [RFC6877], or redirect DNS queries for non-existing AAAA
records to the resolver providing the DNS64 service.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Terminology
CLAT: Customer-side translator as defined in [RFC6877].
Node: Either physical device or an application capable of performing
DNS queries.
NAT64 FQDN: a fully qualified domain name (FQDN) for a NAT64 protocol
translator.
Pref64::/n: a IPv6 prefix used for IPv6 address synthesis [RFC6146].
Pref64::WKA: an IPv6 address consisting of Pref64::/n and WKA at any
of the locations allowed by RFC 6052 [RFC6052].
Secure Channel: a communication channel a Node has between itself and
a DNS64 server protecting DNS protocol-related messages from
interception and tampering. The Channel can be, for example, IPsec-
based virtual private network (VPN) tunnel or a link-layer utilizing
data encryption technologies.
Well-Known IPv4 Address (WKA): an IPv4 address that is well-known and
present in an A record for the well-known name as defined in
[RFC7050].
Hunek Expires 16 December 2023 [Page 3]
�
Internet-Draft NAT64 SRV June 2023
3. Problems with Current Solutions
For means of comparison, current solutions are split into two groups.
The first one is the DNS-based solutions and the second one are
solutions based on other protocols.
3.1. DNS-based method
The DNS based method is represented by the current method of
[RFC7050] updated by the [RFC8880]. This method uses the Well-Known
Name 'ipv4only.arpa.' with only an A record to detect DNS64 service.
As this method depends on a specific DNS64 capable resolver with a
specific Pref64::/n, a Node has to use the resolver provided by the
NAT64 service provider - at least for the Pref64::/n detection.
Furthermore, information about the Pref64::/n in use is distributed
only locally, so the third-party resolvers have no information about
it, so they cannot provide DNS64 service for them.
With the introduction of the DNS-over-HTTPS (DoH) [RFC8484], the
introduction of the third-party resolver made the [RFC7050] unusable
for Nodes using DoH. There is a quick fix provided by the [RFC8880]
that the Well-Known name should be treated differently - resolved by
autoconfigured resolver on a specific outbound interface only.
However, this would mean that the application/system stub resolver
has to keep track of the source of configured DNS resolvers, which
may be an unrealistic expectation.
Another design property of the [RFC7050] is its incompatibility with
the DNSSEC. In order for [RFC7050] to work, the DNSSEC has to be
turned off, and even the detection phase of this method could not use
it to verify the provided information. As the network operator does
not own the 'arpa.' domain, it cannot properly sign the AAAA record
for the Well-Known Name. Because of it, the first step of the
Pref64::/n detection is always insecure.
A Node can still do the DNS64 synthesis locally and verify the A
records by the DNSSEC, but it is performing the synthesis based on
information obtained via the insecure method ([RFC7050]/[RFC8880]) -
the Pref64::/n is not and cannot be secured by the DNSSEC.
In order for [RFC7050] method to be secure, this method requires
these prerequisites:
* DNSSEC signed NAT64 FQDN
* Corresponding PTR
* Secure Channel between Node and resolver
Hunek Expires 16 December 2023 [Page 4]
�
Internet-Draft NAT64 SRV June 2023
* Trusted domain list
* No user input
The [RFC8880] adds another set of prerequisites:
* Stub resolver must distinguish between configuration sources of
recursive DNS
* Only autoconfiguration sources can provide recursive DNS to
resolve Well-Known Name
* Recursive DNS resolver is interface specific
Some of these listed prerequisites cannot be achieved in certain
networks without prior provisioning of the Node. This includes
recommended secure channel between a Node and DNS64 recursive
resolver on shared network segments and the Trusted Domain List
mandatory requirement that implicitly cannot be entered by a user.
As not every Node is provisioned by a network operator, especially in
smaller networks, and the generation process of the Trusted Domain
List is not defined. The implementations of the [RFC7050] seems to
ignore this requirement. However, without it, these implementations
are insecure. This is due to the fact that the path between a Node
and a resolver cannot be secured by the DNSSEC, and without Trusted
Domain List, any arbitrary data can be injected into a Node
configuration.
Requirements of the [RFC8880] are also hard to implement strictly
according to the standard. When the user-space application vendor
that implements its own stub resolver would like to implement
[RFC8880], it would require access to the information about network
configuration to keep track of which recursive DNS server has been
received from which interface and from which protocol. Presenting
such information to the user-space is not typical and requires
system-level changes. Furthermore, when strictly following the
[RFC8880], the network cannot use static configuration to have NAT64
functionality autoconfigured from the DNS.
3.2. Methods based on other protocols
There are other solutions for detecting Pref64::/n based on various
protocols. Namely [RFC7225], [RFC8115] and [RFC8781]. Regardless of
the protocol used, these solutions have some common properties that
limit their user-space use. If an application vendor would like to
implement any of these methods, it would need to include a client
implementation of an underlying protocol, or the system would need to
provide an interface to obtain Pref64::/n detected by these methods
Hunek Expires 16 December 2023 [Page 5]
�
Internet-Draft NAT64 SRV June 2023
to the user-space application. This is much harder than making a DNS
query inside an application.
Another common property of these methods is an expectation of local
DNS64 synthesis or CLAT presence on a Node. This may be the case for
some Nodes, but others may depend on this functionality from the
DNS64 resolver. For such Nodes, the DNS-based detection mechanism
could be the preferred solution.
It is fair to say that these methods are viable solutions for system-
level Pref64::/n detection - implementations of a system DNS stub
resolver or CLAT daemon. These methods are not so easy to implement
for user-space applications and daemons that are not so tightly
integrated into an operating system.
4. Local domain detection
The Node should perform detection of the domain used by the network
operator. A Node MAY use any source of such information, but a Node
implementing the method described in this document MUST be able to
use the PTR record for Node's unicast address as one of such source.
A network operator that uses the method described in this document to
distribute NAT64 configuration to Nodes connected to its network MUST
provide a PTR record for every IPv6 address handed to the Node. The
PTR record MUST have a valid DNSSEC signature and MUST point to a
securely delegated zone with DNSSEC signed NAT64 SRV record. The SRV
record itself MUST point to DNSSEC signed AAAA record, and MAY also
point to DNSSEC signed A record.
Both Node and a network operator MAY use other sources of information
about a local domain. If they decide to do so, the channel to
provide such information MUST be secured against undetected data
manipulation, as these sources may not provide the same level of
security as the DNSSEC signed PTR record.
Other sources of information about local domain MAY include (but are
not limited to):
* Node's FQDN
* Router Advertisement DNSSL option [RFC8106]
* DHCPv6 options: 57, 24, 39, 74 or 118
At least when detection of the local domain is done by the PTR
record, a Node MUST consider not only its FQDN as the detected local
domain. When there is no SRV record associated with the detected
Hunek Expires 16 December 2023 [Page 6]
�
Internet-Draft NAT64 SRV June 2023
domain name, a Node MUST disregard the lowest level domain (part of
the domain name until the first dot) and repeat the detection
process. This MUST be repeated until there is an SRV record
associated with the domain name (even the empty "." one) or until the
top-level domain for the respective FQDN is reached. This might be
the second-level domain, but it can also be the third-level.
Implementers MAY use tools like the Mozilla public suffix list
([PubSuffix]) to achieve that. The same process MAY be deployed for
other domain detection sources as well.
If a Node has more than one global IPv6 address, it MUST run PTR
resolution for every address with a stable suffix. If a Node uses
temporary address suffixes, a Node SHOULD perform just one PTR
resolution for every network prefix. If a Node is using both stable
suffixes and temporary suffixes in a single network prefix, only the
stable ones MUST be used for PTR resolution.
5. NAT64 service SRV record
This document specifies two new well-known SRV records. The Node
MUST implement the one for Pref64::/n:
_nat64._ipv6.Name TTL Class SRV Priority Weight Port Target
The TTL, Class, Priority, and Weight follow the same scheme as
defined in [RFC2782] and have their standard meaning. The service
name follows the naming convention defined in [RFC6763].
Port: IPv6, as the L3 protocol, does not use port numbers. Because
of that, this field SHOULD be either set to zero or MAY be used to
indicate the network prefix length in both IPv6 and IPv4 used for
NAT64. In such a case, the port 16b integer MUST be constructed by
directly appending the IPv4 pool prefix length after the IPv6 prefix
length decimally. Usually, this would mean 9632, stating that the
IPv6 prefix with a length of /96 is translated into a single IPv4
address (/32).
Target: MUST point to AAAA record formed from Pref64::/n prefix and
WKA same way as in [RFC7050] (Pref64::WKA). The target MAY also
points to A record, where it SHOULD point to the IPv4 address used
for NAT64 (or base address of the NAT64 IPv4 prefix). A network
operator MAY indicate to Node that NAT64 service is not provided by
putting root domain target (".") into the SRV record. The Port field
value MUST be set to zero for such a record, and Node MUST stop
further Pref64::/n detection for a given domain.
Hunek Expires 16 December 2023 [Page 7]
�
Internet-Draft NAT64 SRV June 2023
Note: The target MAY also point to AAAA record of Any-Source
Multicast prefix or Source-Specific Multicast prefix, similarly to
[RFC8115] this MAY be used to indicate a Node prefix used for
multicast translation. For this reason, a Node MUST check address
type before its use. One SRV record MUST NOT combine unicast and
multicast targets, and in the case of a multicast target, the Port
field value MUST be set to a value of 9600, and A record target MUST
be ignored by a Node.
6. DNS64 service SRV record
The second SRV record is for the discovery of the DNS64 service.
Support of this record is OPTIONAL, but Node SHOULD implement it.
_dns64.Protocol.Name TTL Class SRV Priority Weight Port Target
Record informs about location of DNS64 service. This record might be
used if the network operator does not want to deploy DNS64 in their
main DNS infrastructure. A DNS64 SRV record follows the rules
specified by [RFC2782] and does not modify the meaning of any field.
Server provided by this record SHOULD only be used for domain names
which have returned NODATA for AAAA record and for A record queries
when a Node is not performing DNS64 function and is not using CLAT.
7. Node Behavior
In the initial stage of the Node connected to the network - after the
Node is configured with an IP address; the Node MUST get local
domains used in the network. The method of obtaining such
information is described in the section Local domain detection. When
no local domain can be discovered, the Node SHOULD continue NAT64/
DNS64 detection by other means.
After the list of local domains has been established, the Node MUST
query for a NAT64 SRV record for every domain in the list. The
result of such queries SHOULD be ordered by following the rules of
[RFC2782]. When multiple records have equal values of both priority
and weight, the records SHOULD maintain the same order as its domain
in the discovered domain list.
Hunek Expires 16 December 2023 [Page 8]
�
Internet-Draft NAT64 SRV June 2023
If a Node is not configured to perform DNS64 address synthesis and is
not using CLAT, it SHOULD perform a query for DNS64 SRV record for
every discovered domain with NAT64 SRV record. If such a record is
obtained, the Node SHOULD use preferred target of DNS64 SRV record to
query for FQDNs without AAAA record - when Node received NODATA
response for its query. Similarly, such Node SHOULD prefer target of
DNS64 SRV record for any A record query (like caused by Happy Eye-
Balls).
If the Node can validate DNS records via DNSSEC, the Node MUST
perform validation of NAT64/DNS64 SRV record. The default behavior
of Node SHOULD be to ignore any NAT64/DNS64 SRV records which cannot
be validated or did not pass the validation.
Any information received from DNS MUST respect TTL of received
records. The Node MUST perform a new detection before currently used
information expires. This also applies to information received from
other sources that include expiration.
7.1. Interaction with other methods
Proposed method does not aim to replace all other Pref64::/n
detection methods. In fact, it should be the network operator who
should decide which detection method should be used in the network
and which should have a preference. One advantage of using SRV
records for NAT64 detection is their Priority and Weight fields that
allows to communicate such preference to a Node.
In accordance with the latest detection method the [RFC8781], other
detection method should be treated equally to SRV method with
following Priority and Weight fields:
+---------+----------+--------+
| Method | Priority | Weight |
+---------+----------+--------+
| RFC8115 | 100 | 0 |
+---------+----------+--------+
| RFC7225 | 150 | 0 |
+---------+----------+--------+
| RFC8781 | 200 | 0 |
+---------+----------+--------+
| RFC7050 | 250 | 0 |
+---------+----------+--------+
Table 1: Default priorities
of other methods
Hunek Expires 16 December 2023 [Page 9]
�
Internet-Draft NAT64 SRV June 2023
If a network operator prefers another method than the SRV method and
wants to provide the SRV method as a fallback, it should set the
priority field of the NAT64 SRV record to a higher value than
specified for a method that should be used as a primary. For
example, when a network operator uses Router Advertisement to
distribute Pref64::/n information to its network and also wants to
use the SRV method as a fallback; it should set Priority field to
number higher than 200.
It is RECOMMENDED that network operators SHOULD NOT use values higher
than 249 in the Priority field of the NAT64 SRV record unless they
want to use [RFC7050] as a primary source of Pref64::/n
configuration, and they have all Nodes connected in their network
properly configured for this. In order for this configuration to be
safe, the Nodes MUST follow all the mandatory and optional
requirements of both [RFC7050] and [RFC8880]. Otherwise, the
[RFC7050] SHOULD NOT be used as a primary configuration source.
Default priority values on Node SHOULD be user-configurable.
A Node MAY start the NAT64 detection process by performing the SRV
method. If it is successful and the SRV record Priority field value
is lower than configured values for other methods, the Node MUST NOT
use other detection methods (or utilize information received by
them). If the Priority value is higher than configured Priority
value of any other methods, the Node SHOULD also perform detection
methods with the lower priority values. Detection SHOULD be done
starting from the lowest configured Priority value to the highest.
The successful completion of any detection method MUST stop further
detection.
Similarly, the DNS64 function of the recursive resolver in use SHOULD
be treated equally to the DNS64 SRV record with the Priority field
value of 250. If the Node supports the DNS64 SRV record, Node is not
performing DNS64 function, it is not using CLAT and the DNS64 SRV
record has a lower Priority field value; the A record queries MUST be
sent to the target of such SRV record instead of Node's default
recursive resolver.
If the network configuration time for NAT64 is more important than
prefix stability, a Node MAY perform other detection methods
simultaneously with this SRV method. When a Node receives Pref64::/n
by method with a higher priority (lower Priority field value), a Node
MUST respect the method Priority field, and it MUST stop using
configuration information received by a method with a lower priority
(a higher Priority field value). However, by doing so, it can
resolve several NAT64 prefix configuration changes as methods with
higher priorities would override those with lower ones. This may
Hunek Expires 16 December 2023 [Page 10]
�
Internet-Draft NAT64 SRV June 2023
result in several prefixes being used in a short time. For this
reason, it is NOT RECOMMENDED to act upon any detection method that
can be overwritten by a method with a higher priority unless the
configuration of the Pref64::/n is time-critical.
Regardless of the detection method used for DNS64 discovery, the Node
MUST NOT accept any DNS64 synthesized AAAA record outside detected
NAT64 prefixes.
8. Example
The Node is a home router connected to the ISP network in which the
NAT64/DNS64 is used, and the ISP has the following SRV records in
their zones:
* _nat64._ipv6.example.com. IN SRV 5 10 9632 nat64-pool-
1.example.com.
* nat64-pool-1.example.com. IN AAAA 2001:db8:64:ff9b:1::c000:aa
* nat64-pool-1.example.com. IN A 192.0.2.64
* _nat64._ipv6.example.com. IN SRV 10 10 9632 nat64-pool-
2.example.com.
* nat64-pool-2.example.com. IN AAAA 2001:db8:64:ff9b:2::c000:aa
* nat64-pool-2.example.com. IN A 192.0.2.164
* _nat64._ipv6.example.net. IN SRV 10 10 9624
nat64-pool.example.net.
* nat64-pool.example.net. IN AAAA 2001:db8:64:ff9b:abc::c000:aa
* nat64-pool.example.net. IN A 198.51.100.0
* _nat64._ipv6.example.invalid. IN SRV 10 10 9624
nat64-pool.example.org.
* nat64-pool.example.org. IN AAAA 2001:db8:64:ff9b:def::c000:aa
* nat64-pool.example.org. IN A 203.0.113.0
In addition, the zones "example.net" and "example.invalid" has got
DNS64 SRV records:
* _dns64._tcp.example.net. IN SRV 5 10 53 dns64.example.net.
Hunek Expires 16 December 2023 [Page 11]
�
Internet-Draft NAT64 SRV June 2023
* _dns64._udp.example.net. IN SRV 10 10 53 dns64.example.net.
* dns64.example.net. IN AAAA 2001:db8::53
* _dns64._udp.example.invalid. IN SRV 10 10 53 dns64.example.org.
* dns64.example.org. IN AAAA 2001:db8:123::53
The Node has detected the following list of domains:
1. example.net
2. example.invalid
3. example.com
4. example.org
The Node would fetch all available SRV records and their A and AAAA
counterparts and sort them in the following order:
+---------------------------+--------+----------+----------------+
| Pool | DNSSEC | Priority | Reason |
+---------------------------+--------+----------+----------------+
| nat64-pool-1.example.com. | yes | 5 | lowest |
| | | | priority field |
+---------------------------+--------+----------+----------------+
| nat64-pool.example.net. | yes | 10 | discovered |
| | | | first |
+---------------------------+--------+----------+----------------+
| nat64-pool-2.example.net. | yes | 10 | higher |
| | | | priority field |
+---------------------------+--------+----------+----------------+
| nat64-pool.example.org. | no | 10 | no valid |
| | | | DNSSEC chain |
+---------------------------+--------+----------+----------------+
Table 2: Detectected Prefixes
After sorting, the DNSSEC validating Node SHOULD graylist any record
which cannot be validated by the DNSSEC. This example would be
"nat64-pool.example.org." because it has been obtained from insecure
domain "example.invalid". Such pool SHOULD NOT be used if it is not
confirmed by other DNSSEC secured record.
Hunek Expires 16 December 2023 [Page 12]
�
Internet-Draft NAT64 SRV June 2023
If the Node can act as a recursive or caching DNS server and it is
configured to provide the DNS64 service, it MUST provide this service
using a sorted list of NAT64 pools. For such Node, the process of
the NAT64/DNS64 ends here.
However, when the Node is not capable of performing AAAA record
synthesis or it is not configured to provide DNS64 service, and it is
not using CLAT, it MUST perform detection of DNS64.
When the Node supports the DNS64 SRV record, it MUST make a sorted
list of DNS64 servers from the DNS64 SRV records. If the Priority
field of the corresponding DNS64 record is higher than 250, and when
the Node does not support the DNS64 SRV record; the Node MUST perform
DNS64 detection for specified NAT64 pool by the [RFC7050] method.
The detection, according to [RFC7050], should be done by querying for
"ipv4only.arpa". If the reply contains a pool listed in the NAT64
pool list, the corresponding entry is marked as having DNS64 provided
by recursive DNS.
The DNS64 sorted list would look like this:
+--------------------+-------+--------+----------+----------------+
| Server | Proto | DNSSEC | Priority | Reason |
+--------------------+-------+--------+----------+----------------+
| dns64.example.net. | tcp | yes | 5 | lowest |
| | | | | priority field |
+--------------------+-------+--------+----------+----------------+
| dns64.example.net. | udp | yes | 10 | higher |
| | | | | priority field |
+--------------------+-------+--------+----------+----------------+
| dns64.example.org. | udp | no | 10 | no valid |
| | | | | DNSSEC chain |
+--------------------+-------+--------+----------+----------------+
Table 3: Detectected DNS64 Servers
Sorting is done in the same fashion as any other SRV record with the
same exception of graylisting records without a valid DNSSEC chain.
Those SHOULD NOT be used when not confirmed by DNSSEC validated
record and SHOULD be kept at the end of the list.
For example, when ISP is providing DNS64 service in their main DNS
infrastructure only for pools in the domains "example.com" and
"example.org" and the pool "nat64-pool.example.net" is used only with
corresponding DNS64 server. The final sorted list of NAT64 prefixes
used by the Node in the ISP network would be:
Hunek Expires 16 December 2023 [Page 13]
�
Internet-Draft NAT64 SRV June 2023
+---------------------------+----------+----------+----------------+
| Pool | State | Priority | Reason |
+---------------------------+----------+----------+----------------+
| nat64-pool-1.example.com. | active | 5 | lowest |
| | | | priority field |
+---------------------------+----------+----------+----------------+
| nat64-pool-2.example.net. | backup | 10 | higher |
| | | | priority field |
+---------------------------+----------+----------+----------------+
| nat64-pool.example.net. | active* | 10 | only DNS64 SRV |
| | | | capable Node |
+---------------------------+----------+----------+----------------+
| nat64-pool.example.org. | inactive | 10 | no valid |
| | | | DNSSEC chain |
+---------------------------+----------+----------+----------------+
Table 4: Used Prefixes
As the pool "nat64-pool.example.net" is used only with the server
"dns64.example.net", this would effectively make it usable only for
Nodes supporting DNS64 SRV and not running DNS64 locally or not using
CLAT. For such Nodes, this pool would have priority over others
because lower Priority field value of the DNS64 SRV record.
Now, the Node has successfully identified NAT64 pools and the DNS64
servers in the ISP infrastructure. The discovered prefixes SHOULD be
considered safe, and DNSSEC validation of answers in these prefixes,
when a remote recursive resolver does the DNS64 synthesis, it MUST be
either disabled or performed by validating only the suffix.
8.1. Example of negative records
The proposed method allows specifying negative records for the
Pref64::/n. This can be used to specify that a single Node should
not use the Pref64::/n, that the whole subdomain is not allowed to
use NAT64, that the whole domain/operator is not using NAT64, or as a
last resort indication that non-specified Nodes/subdomains are not
allowed to use NAT64. The meaning of a negative record is given by
its placement in the zone and other positive replies (pointing to a
valid AAAA record).
* _nat64._ipv6.example.com. IN SRV 5 10 0 .
* _nat64._ipv6.clients.example.com. IN SRV 5 10 9632 nat64-pool-
1.example.com.
* _nat64._ipv6.bad-host1.clients.example.com. IN SRV 5 10 0 .
Hunek Expires 16 December 2023 [Page 14]
�
Internet-Draft NAT64 SRV June 2023
* _nat64._ipv6.bad-host2.clients.example.com. IN SRV 255 10 0 .
The list shows a possible use of negative records. Every Node in the
"clients" subdomain is given a Pref64::/n provided by the "nat64-
pool-1" AAAA record, except for the "bad-host1" and "bad-host2" Nodes
that are given negative records. This indicates to those Nodes that
there is no Pref64::/n, so no NAT64 service is provided to them.
This way, an operator is able to disable the NAT64 service to
individual Nodes.
The difference between "bad-host1" and "bad-host2" is in the Priority
field. Because of that, the "bad-host1" Node MUST NOT use other
detection methods for NAT64 detection, while "bad-host2" MAY utilize
any other method.
By placing the negative answer to the root of the operator's domain,
the operator specifies that only listed Nodes or subdomains are
allowed to use NAT64. Similarly, if the operator specified a
positive record, non-listed Nodes would default to using such prefix.
Basically, this allows to form policies like allowlists and
blocklists and combine them.
9. IANA Considerations
This document proposes two services, "_nat64" and "_dns64" in Service
field of SRV RR ([RFC2782]).
10. Security Considerations
The method proposed by this document relies on security principles
based on DNSSEC and secure discovery of local domain. In order to be
secure, the network operator MUST deploy DNSSEC on at least one
domain (advertised to the Node), establish a secure channel to this
advertisement, or provide every IPv6 address given to a Node with
DNSSEC secured PTR record.
11. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
DOI 10.17487/RFC2782, February 2000,
<https://www.rfc-editor.org/info/rfc2782>.
Hunek Expires 16 December 2023 [Page 15]
�
Internet-Draft NAT64 SRV June 2023
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>.
[RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
the IPv6 Prefix Used for IPv6 Address Synthesis",
RFC 7050, DOI 10.17487/RFC7050, November 2013,
<https://www.rfc-editor.org/info/rfc7050>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12. Informative References
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010,
<https://www.rfc-editor.org/info/rfc6052>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013,
<https://www.rfc-editor.org/info/rfc6877>.
[RFC7225] Boucadair, M., "Discovering NAT64 IPv6 Prefixes Using the
Port Control Protocol (PCP)", RFC 7225,
DOI 10.17487/RFC7225, May 2014,
<https://www.rfc-editor.org/info/rfc7225>.
[RFC8106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Options for DNS Configuration",
RFC 8106, DOI 10.17487/RFC8106, March 2017,
<https://www.rfc-editor.org/info/rfc8106>.
[RFC8115] Boucadair, M., Qin, J., Tsou, T., and X. Deng, "DHCPv6
Option for IPv4-Embedded Multicast and Unicast IPv6
Prefixes", RFC 8115, DOI 10.17487/RFC8115, March 2017,
<https://www.rfc-editor.org/info/rfc8115>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>.
Hunek Expires 16 December 2023 [Page 16]
�
Internet-Draft NAT64 SRV June 2023
[RFC8781] Colitti, L. and J. Linkova, "Discovering PREF64 in Router
Advertisements", RFC 8781, DOI 10.17487/RFC8781, April
2020, <https://www.rfc-editor.org/info/rfc8781>.
[RFC8880] Cheshire, S. and D. Schinazi, "Special Use Domain Name
'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, August
2020, <https://www.rfc-editor.org/info/rfc8880>.
[PubSuffix]
Mozilla, "Public Suffix List", April 2022,
<https://publicsuffix.org/>.
Acknowledgements
The author of this document would like to thank Lee Howard, Gert
Doering, Fred Baker, Philip Homburg, Mikael Abrahamsson, Jordi Palet
Martinez, Gabor Lencse, Dan Wing, Ralf Weber, Ted Lemon, David
Schinazi for their valuable comments.
Author's Address
Martin Hunek
Technical University of Liberec
Studentska 1402/2
46017 Liberec
Czechia
Email: martin.hunek@tul.cz
Hunek Expires 16 December 2023 [Page 17]
