Bugger! And what to do then when the user looses control over what they're using... Ie the shift of DNS out of the local-admin's (and even OS') control and directly into the apps, via DoH and QUIC ([1]).
What a dog's breakfast :( Pete [1] https://youtu.be/4xGxotBk8AM?t=8727 > On 6/02/2020, at 6:28 PM, Mark Andrews <ma...@isc.org> wrote: > > Telstra need to be at least intercepting queries for ipv4only.arpa/AAAA to > allow CLATs to discover the NAT64 prefix. > > Note that doesn’t work if you are using DoH, DoT, TSIG or any other > cryptographic mechanism to protect your DNS queries. It also doesn’t work if > you are using DNSSEC to verify the answers as IANA decided to sign > ipv4only.arpa. > >> On 6 Feb 2020, at 16:03, Peter Tonoli <peter+aus...@metaverse.org> wrote: >> Is there a higher chance of brokenness when users choose to use other DNS >> services (i.e. Cloudflare / DoH), apart from Telstra, due to the lack of WKP >> in the response from those providers? >> >> On 6/2/20 3:27 pm, Russell Langton wrote: >>> - If Alice is connecting to a website with only a A DNS record, our DNS >>> will spoof the website address with a Well Known Prefix (WKP) so it routes >>> to the NAT64 gateway _______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
