RFC 6147, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", April 2011Source of RFC: behave (tsv)
Errata ID: 3236
Publication Format(s) : TEXT
Reported By: Mark Andrews
Date Reported: 2012-05-30
Rejected by: Wes Eddy
Date Rejected: 2012-09-13
Section 5.5 says:
An application that wants to perform validation on its own should use the CD bit.
It should say:
[Section 5.5 needs to be completely re analysed,]
Section 5.5 is written around the assumption that a validating stub resolver will be setting CD=1 as well as DO=1. There is no such requirement RFC 4035 and in fact setting both CD=1 and DO=1 leaves the stub resolver vulnerable to answers from authoritative servers for the zone that are serving a stale copy of the zone and spoofed answers being sent to the DNS64 server.
Non CD=1 queries result in the DNS64 server in its recursive roll, filtering out, cryptographically bad answers.
DO=1 alone should disable synthesis.
Changes that are clearly modifications to the intended consensus, or
involve large textual changes, should be Rejected.