Hacker News new | ask | show | jobs
by J-Kuhn 1206 days ago
I agree, IPv4 has its problems. That is why we transition to IPv6.

Dual Stack doesn't "solve" anything. You still run IPv4. With all the downsides, especially every machine will still need an (RFC 1918) IPv4 address.

(Microsoft is running out of their internal 10.0.0.0/8: https://www.arin.net/blog/2019/04/03/microsoft-works-toward-...)

The goal of the IPv6 transition is to disable IPv4. NAT64+DNS64 or 464XLAT allows us to disable IPv4 on devices before the entire internet is ready.
1 comments
jeroenhd 1205 days ago
I would love full transitions to be easy enough to work. DNS64 breaks DNSSEC without updates to the spec, so that's not going to fly for me today. A competent DNS configuration would fail to resolve my IPv4 domains at the very least (though all of my public domains have an AAAA record, obviously). The only solution is to do DNSSEC validation at the DNS64 level which in my opinion defeats the purpose of DNS security all together.

For internal networks, IPv6 seems like an obvious choice. If you already have company wide subnets, you may as well set up some ULAs/GUAs and use IPv6 internally. Full IPv6 may be better but people worry about adversaries mapping internal networks for some reason so NAT66 may be necessary to placate those fears.

The problems you still keep around by using some kind of dual stacking (DS-Lite being the cheapest) ensures compatibility with servers and entire countries that haven't even begun upgrading their networks yet. You incur the IPv4 penalty, for sure, but only towards services that don't have IPv6. This provides an incentive for the world to move on without breaking existing infrastructure entirely.

link
J-Kuhn 1205 days ago
> DNS64 breaks DNSSEC

Yes, it does. While in theory you could "undo" the translation and verify against the re-synthesized A record, nobody is going to do that.

464XLAT shifts the "make an IPv6 address from an IPv4" to the CPE or even end device (Apple Devices are known to work well with 464XLAT). For this the device discovers the prefix, and if software wants to make an IPv4 connection, it sends it to the NAT64 using the prefix + IP. DNS64 would be no longer needed.

link