[Unbound-users] DNS64 patch for Unbound
lst_hoe02 at kwsoft.de
lst_hoe02 at kwsoft.de
Mon Jun 30 14:50:56 CEST 2014
Zitat von "W.C.A. Wijngaards" <wouter at nlnetlabs.nl>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi Bjoern,
> On 06/29/2014 11:21 PM, Bjoern A. Zeeb wrote:
>> a few years back Viagenie developed a DNS64 patch  for
>> unbound. In the last couple of years I maintained it and forward
>> ported it privately. Lately, with FreeBSD temporarily shipping
>> unbound in base, people have asked for that patch and I ended up
>> putting it into a user branch  and updated it again for a new
>> version . I (or anyone) can easily extract an up-to-date patch
>> and a large junk of that is mainly the regeneration of files from
>> However I am now facing the question: is upstream willing to fully
>> integrate this change or should I just drop it into FreeBSD base?
>> I’d be happy to work with you guys on this. Just let me know.
> Yes, we would be happy to integrate this.
> Previously, we had spoken (very cordially, at the IETF, even though
> the main author had had a soccer-related injury) with the folks from
> Viagenie. Both NAT64 was not very important and also the license for
> the contribution needed to be sorted out. These things seem to have
> changed (or I might remember our conversation about the license
> wrongly). I see the patch has a very comfortable BSD license.
> Is NAT64 considered this important? We would be happy to incorporate
> the patch if this is considered useful to many users. NAT64 for DNS
> does involve allowing others to inject new addresses in a new netblock
> for arbitrary names, and as such carries a little bit of security
> considerations. So, I would hesitate to enable this by default. But
> the option could certainly be useful, as we would like to help the
> IPv4 to IPv6 transition. What do other users think about this?
I doubt this is easy useable with DNSSEC as DNS records are created
on-the-fly, no? I also don't like the idea of yet another workaround
to delay the switch-over, after all we already have
dual-stack(protocol) for the next decade i suspect.
> (if they can receive the email...)
Of course, SPF is evil and we therefore don't use it at all ;-)
More information about the Unbound-users