[Search] [txt|xml|pdf|bibtex] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01                                                         
Network Working Group                                       M. Boucadair
Internet-Draft                                                    Orange
Updates: 6147 (if approved)                                June 23, 2021
Intended status: Standards Track
Expires: December 25, 2021

                 An EDNS0 Option for Sharing Pref64::/n


   This document specifies an Extension Mechanisms for DNS (EDNS0)
   option to convey the IPv6 prefix used to build IPv4-converted IPv6
   addresses.  When conveyed in a DNS query, the option communicates the
   IPv6 prefix used in the network from which the query was originated.
   Such a network is assumed to enable a Network Address and Protocol
   Translation from IPv6 clients to IPv4 servers (NAT64) function.
   DNS64-capable servers will use that prefix to build synthesized AAAA
   records, rather than relying on a preconfigured prefix.  When
   conveyed in a DNS reply, the option conveys the IPv6 prefix that is
   used by a DNS64-capable server to synthesized AAAA records.  Such
   information helps to automatically detect mismatches between the
   local NAT64 configuration and the one enforced at the DNS64 server.
   Also, security-aware and validating hosts may use the new EDNS0
   option to signal the presence of a NAT64 function.  That signal is
   used by the DNS server to fill the additional section of the AAAA
   reply in order to supply A RRs of the target.  Dual queries and
   delays are thus avoided.

   This document updates RFC 6147.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 25, 2021.

Boucadair               Expires December 25, 2021               [Page 1]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Option Format . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Protocol Description  . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Network Address and Protocol Translation from IPv6 clients to IPv4
   servers (NAT64) function [RFC6146] is widely deployed, especially in
   cellular networks.  Such a function is solicited when an IPv6-only
   host communicates with an IPv4-only server.  For that communication
   to take place, IPv4-only servers are represented in the IPv6 domain
   by synthesizing IPv6 addresses based on IPv4 addresses (called,
   IPv4-converted IPv6 addresses).  The address translation algorithm is
   specified in [RFC6052].  In addition to an IPv4 address, this
   algorithm uses a dedicated IPv6 prefix as input.  Such a prefix can
   be the Well-Known Prefix (i.e., 64:ff9b::/96) or a Network-Specific
   Prefix (NSP).

   DNS64 [RFC6147] specifies a companion mechanism to represent
   IPv4-only servers in the IPv6 domains.  Such a mechanism relies upon
   the same address translation algorithm as the one used by the NAT64
   function.  When both DNS64 and NAT64 are deployed in the same
   network, the same IPv6 prefix must be used to feed the address

Boucadair               Expires December 25, 2021               [Page 2]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

   translation algorithm (Section 2 of [RFC6147]).  A sample deployment
   scenario is depicted in Figure 1.  Note that no mechanism is
   supported to synchronize the prefix configured in both functions.  In
   particular, there is no communication between the DNS64 and NAT64

             +---------------------+         +---------------+
             |IPv6 network         |         |    IPv4       |
             |           |  +-------------+  |  network      |
             |           |--| Name server |--|               |
             |           |  | with DNS64  |  |  +----+       |
             |  +----+   |  +-------------+  |  | H2 |       |
             |  | H1 |---|         |         |  +----+       |
             |  +----+   |      +-------+    |    |
             |2001:db8::1|------| NAT64 |----|               |
             |           |      +-------+    |               |
             |           |         |         |               |
             +---------------------+         +---------------+

                   Figure 1: Sample Deployment (RFC6146)

   In networks where DNS64 is enabled, some deployments use distinct IP
   addresses to reach the "normal" DNS server and the DNS64 server.
   This is used to demux queries issues by IPv6-only hosts from those
   from dual-stack hosts.  The mechanism defined in this document allows
   to use the same DNS configuration for both IPv6-only and dual-stack

   NAT64 does not require a DNS64 server to be enabled and, even if it
   is used, it does not mandate that it is enabled in the same network.
   As such, several public DNS64 servers are currently available for use
   over the Internet.  However, these servers are restricted to the
   Well-Known Prefix.  Users who decides to bypass their network
   provisioned DNS64 server may experience connectivity issues if an NSP
   is used in their local networks (Section 4.4 of [RFC8683]).  This
   document solves that issues by specifying a mechanism that allows to
   use any DNS64 server, not only the one hosted in the network that
   enables the NAT64.

   If the IPv4 address of a remote IPv4-only server is known to an
   IPv6-only host (e.g., IPv4 literals, legacy DNS), the IPv6-only host
   can proceed with local address synthesis.  For example, the stub
   resolver on the IPv6-only host tries to obtain (native) AAAA records,
   and if they are not found, the DNS64 function on the host will send a
   query for A records and then synthesize AAAA records.  This behavior
   requires the host's stub-resolver to learn the prefix used for IPv6/
   IPv4 translation and synthesize AAAA records accordingly.  Many
   mechanisms were specified to discover such prefix, e.g.:

Boucadair               Expires December 25, 2021               [Page 3]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

   o  [RFC7225] defines a new Port Control Protocol (PCP) option
      [RFC6887] to inform hosts about the Pref64::/n and suffix used by
      a NAT64 function.

   o  [RFC8781] specifies a Neighbor Discovery option used in Router
      Advertisements (RAs) to communicate NAT64 prefixes to hosts.

   The reader may refer to [RFC7050][RFC7051] for an analysis on the
   issues related to the discovery of the Pref64::/n.

   In some environments two DNS queries are issued even if the host is
   serviced using an IPv6-only connectivity (typically, AAA followed by
   A).  These two queries are sent sequentially, which introduces an
   extra delay when the target resource is IPv4-only.  Such delay can be
   prevented owing to the mechanism specified in this document.  As a
   side effect, the mechanism optimizes the load on DNS64 servers as
   only one query will be used instead of two.

   This document updates [RFC6146] as it extends the DNS64 processing to
   also consider the supplied Pref64::/n in an EDNS0 option to
   synthesize AAA records.  In particular statements such as "locally
   configured Pref64::/n" are updated to "locally configured Pref64::/n
   or Pref64::/n supplied in an EDNS0 PREFIX64 option".  To that aim,
   this document leverages the aforementioned discovery mechanism to
   detect the presence of a NAT64 function.

   In summary, the mechanism defined in this document is meant to:

   o  Provide a signal to indicate the support of NAT64 in a network.

   o  Allow a DNS64 server to service clients with distinct NAT64

   o  Avoid delays when both A and AAA queries are required.

   o  Optimize load on DNS server as only one query is generated rather
      that duplicating load when both AAA and A queries are required.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

Boucadair               Expires December 25, 2021               [Page 4]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

   The reader should be familiar with terms and concepts defined in
   [RFC6052], [RFC6146], and [RFC6147].  Also, the document makes use of
   terms defined in [RFC8499].

   "IPv6-only host" refers to a host with an IPv6-only connectivity.

3.  Option Format

   The format of the PREFIX64 EDNS0 option is shown in Figure 2.  This
   format adheres to the guidelines specified in Section 6.1.2 of

                  +0 (MSB)                            +1 (LSB)
    0: |                          OPTION-CODE                          |
    2: |                         OPTION-LENGTH                         |
    4: |                                                               |
       /                          PREFIX64                             /
       /                                                               /

                  Figure 2: PREFIX64 EDNS0 Option Format

   The description of the fields is as follows:

   OPTION-CODE:  MUST be set to TBA (Section 6).

   OPTION-LENGTH:  Size (in octets) of the enclosed Pref64::/n.  Allowed
      values are: 0, 4, 5, 6, 7, 8, and 9.

      The receiver MUST ignore the option if the OPTION-LENGTH is not
      set to one of those values.

      When the value is set to 0, this indicates the presence of a NAT64
      function in the network from which the query is generated.

   PREFIX64:  This field identifies the IPv6 unicast prefix to be used
      for constructing an IPv4-converted IPv6 address from an IPv4
      address as specified in Section 2.2 of [RFC6052].  In such case,
      the prefix length MUST be 32, 40, 48, 56, 64, and 96 bits (i.e.,
      OPTION-LENGTH must be set to 4, 5, 6, 7, 8, and 9) as specified in

      This prefix can be the Well-Known Prefix (i.e., 64:ff9b::/96) or a
      Network-Specific Prefix.

Boucadair               Expires December 25, 2021               [Page 5]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

      The address synthesis MUST follow the guidelines documented in

4.  Protocol Description

   A stub-resolver on an IPv6-only host that discovers the presence of
   NAT64 inserts the PREFIX64 EDNS0 option in its AAAA queries.  If the
   stub-resolver is on a multi-interfaced device, the Pref64::/n
   conveyed in the PREFIX64 EDNS0 option MUST be the one that is
   associated with the interface over which the DNS query is sent.

   A stub-resolver that is prepared to handle A RRs enclosed in the
   additional section (e.g., security-aware and validating hosts) MAY
   insert a PREFIX64 EDNS0 option with an OPTION-LENGTH set to zero in
   its AAAA DNS queries.  Such option is used by intermediate/
   authoritative servers as a signal to include A RR in the additional

   If an intermediate resolver enables a DNS64 function, then the AAAA
   query is treated as in [RFC6147] with the exception that supplied
   valid Pref64::/n are used for synthesizing AAAA records.  The reply
   MAY echo the PREFIX64 EDNS0 option.

   An intermediate resolver MAY be configured to forward AAAA queries
   that carry an PREFIX64 EDNS0 option with non-null prefixes to a DNS64
   server.  Matching queries are thus relayed to that DNS64 server.
   Upon receipt of such queries, the AAAA query is treated as in
   [RFC6147] with the exception that supplied valid Pref64::/n are used
   for synthesizing AAAA records.  This prevents from exposing distinct
   IP addresses for "normal" DNS and DNS64 operations.

   A DNS64 MAY be instructed to return the Pref64::/n that it uses when
   synthesizing AAAA records.  If so, the DNS64 MUST include the
   PREFIX64 option in its replies that carry synthesized AAAA records.
   This is superior to the current situation where users have to check
   the documentation (when available) to determine the prefix used by a
   DNS64 server for address synthesis.  Absent such checks, errors can
   be encountered to service IPv6-only hosts.  The use of PREFIX64
   option allows to automatically detect mismatches between the prefix
   used in the network (that is, the NAT64 function) and the one that is
   used by a DNS64 function.

   A stub-resolver MAY determine whether the returned AAAA includes a
   native or IPv4-converted IPv6 by comparing the first bits of the IPv6
   address with the local Pref64::/n.

Boucadair               Expires December 25, 2021               [Page 6]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

5.  Security Considerations

   Generic EDNS0 security considerations are discussed in Section 8 of

   As discussed in Section 5.5 of [RFC6147], a security-aware and
   validating host has to perform the DNS64 function locally.  This
   specification does not prevent that.  The only enhancement is the
   receipt of A RR in the additional section of AAAA replies.

6.  IANA Considerations

   This document requests IANA to assign the following new code from the
   "DNS EDNS0 Option Codes (OPT)" registry available at [DNS-OPT]:

           Value      Name          Status        Reference
           -----      --------      --------      -------------
           TBA        PREFIX64      Standard      [ThisDocument]

7.  Acknowledgements


8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC6052]  Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
              Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
              DOI 10.17487/RFC6052, October 2010,

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
              April 2011, <https://www.rfc-editor.org/info/rfc6146>.

   [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
              Beijnum, "DNS64: DNS Extensions for Network Address
              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
              DOI 10.17487/RFC6147, April 2011,

Boucadair               Expires December 25, 2021               [Page 7]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

   [RFC6891]  Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
              for DNS (EDNS(0))", STD 75, RFC 6891,
              DOI 10.17487/RFC6891, April 2013,

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

8.2.  Informative References

   [DNS-OPT]  IANA, "DNS EDNS0 Option Codes (OPT)",

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,

   [RFC7050]  Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
              the IPv6 Prefix Used for IPv6 Address Synthesis",
              RFC 7050, DOI 10.17487/RFC7050, November 2013,

   [RFC7051]  Korhonen, J., Ed. and T. Savolainen, Ed., "Analysis of
              Solution Proposals for Hosts to Learn NAT64 Prefix",
              RFC 7051, DOI 10.17487/RFC7051, November 2013,

   [RFC7225]  Boucadair, M., "Discovering NAT64 IPv6 Prefixes Using the
              Port Control Protocol (PCP)", RFC 7225,
              DOI 10.17487/RFC7225, May 2014,

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

   [RFC8683]  Palet Martinez, J., "Additional Deployment Guidelines for
              NAT64/464XLAT in Operator and Enterprise Networks",
              RFC 8683, DOI 10.17487/RFC8683, November 2019,

   [RFC8781]  Colitti, L. and J. Linkova, "Discovering PREF64 in Router
              Advertisements", RFC 8781, DOI 10.17487/RFC8781, April
              2020, <https://www.rfc-editor.org/info/rfc8781>.

Boucadair               Expires December 25, 2021               [Page 8]

Internet-Draft          PREFIX64 in DNS Messages               June 2021

Author's Address

   Mohamed Boucadair
   Rennes  35000

   Email: mohamed.boucadair@orange.com

Boucadair               Expires December 25, 2021               [Page 9]