Hey Mark,
we have deployed the dns64 settings some years ago and I did not notice the settings at the time - but it seems their combination looks excatly like what we were looking for. Thanks a lot for the pointer! Best regards, Nico Mark Andrews <ma...@isc.org> writes: > Have you actually played with dns64 settings? > > dns64 <netprefix> { > break-dnssec <boolean>; > clients { <address_match_element>; ... }; > exclude { <address_match_element>; ... }; > mapped { <address_match_element>; ... }; > recursive-only <boolean>; > suffix <ipv6_address>; > }; // may occur multiple times > > >> On 19 Feb 2021, at 06:39, Nico Schottelius <nico.schottel...@ungleich.ch> >> wrote: >> >> >> Good morning everyone, >> >> we have peculiar request to solve and were wondering whether it is at >> all possible with bind: >> >> a) >> For a certain source range, let's say 2001:db8::/96, we want to *only* >> reply with generated DNS64 entries - i.e. we want bind to only reply >> with mapped IPv4 addresses, NOT with proper AAAA entries, if they exist. > > dns64 <netprefix> { clients { acl; }; exclude { ::/0; }; }; > >> b) >> For a different source range, let's say 2001:db:1::/64, we want to reply >> only with *proper* IPv6 AAAA entries, i.e. disable DNS64 for them. > > dns64 <netprefix> { clients { !prefix; any; }; > >> >> c) (optional) >> >> In the best case, we would even like to remove A replies from the >> results, in case a misconfigured client requests A records. > > Then you break the ability of those clients to do their own DNS64 mappings > which is required when they are doing DNSSEC themselves. > >> Background for this is that we have clients in specific networks, which >> are mapped via SIIT to IPv4 addresses. These clients should never >> connect to an IPv6 address (besides they actually do...) after >> translation. And the clients in the other network should behave the >> opposite, they should *only* connect to IPv6 hosts. >> >> However, both client networks are IPv6 only, as there is no IPv4 link >> into these networks, so we are dealing with NAT64/SIIT. And >> unfortunately we don't have a lot of control over the client behaviour, >> whether they will ask for A/AAAA entries, so we will need to steer them >> on the DNS side. >> >> Looking forward to your replies. >> >> Best regards, >> >> Nico >> >> -- >> Sustainable, Modern Infrastructures by ungleich.ch >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Sustainable and modern Infrastructures by ungleich.ch _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users