DNS64 and DNSSEC - AD bit not set (RFC 6147)

Tom Lanyon tom+bind at oneshoeco.com
Thu Mar 27 03:27:27 UTC 2014

Hi list,

Just wanted to check my understanding of BIND9's implementation of DNS64 against RFC 6147.

Currently BIND9's "break-dnssec" defaults to "no" - in this configuration, a security-aware & validating recursive resolver with will never synthesise a AAAA record via DNS64 when queried with DO=1 irregardless of the CD bit.

When changing "break-dnssec" to "yes", querying with DO=1 will always trigger synthesis of a DNS64 AAAA record, irregardless of the CD bit.

Both of these configurations seem to conflict with the DNS64 RFC 6147, which specifies that (so long as the upstream negative AAAA and positive A responses validate) the recursive resolver can still synthesise the DNS64 AAAA when queried with DO=1 and CD=0 but must return the answer with the AD bit set.  Only when queried with both DO=1 and CD=1 must it not synthesise the DNS64 AAAA.

Is there any way to configure BIND9 to comply with this RFC 6147 behaviour?  We're on 9.8.2, but I couldn't find anything related in the CHANGES for either 9.8 or 9.9.


More information about the bind-users mailing list