git.ipfire.org Git - thirdparty/systemd.git/commit

author	Bertrand Jacquin <bertrand@jacquin.bzh>
	Wed, 27 Sep 2023 18:39:52 +0000 (19:39 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Thu, 28 Sep 2023 20:55:00 +0000 (21:55 +0100)
commit	7406ebd5b6949999e94d50dbce4ee7ff41fcced0
tree	d4029ed8bf729a3e520b4d7c65397c4b0e447228	tree \| snapshot
parent	081c50ed3cc081278d15c03ea54487bd5bebc812	commit \| diff

resolved: register ipv4only.arpa are private domain

From RFC 8880:

Because the 'ipv4only.arpa' zone has to be an insecure delegation,
DNSSEC cannot be used to protect these answers from tampering by
malicious devices on the path.

Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to
give DNS64/NAT64 gateways the freedom to synthesize answers to those
queries at will, without the answers being rejected by DNSSEC-capable
resolvers. DNSSEC-capable resolvers that follow this specification MUST
NOT attempt to validate answers received in response to queries for the
IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name
'ipv4only.arpa' has no use outside of being used for this special DNS
pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so
the lack of DNSSEC security for that name is not a problem.

See: https://datatracker.ietf.org/doc/html/rfc8880#name-security-considerations