DNS64 should not perform synthesis for queries with CD and DO flags

According to RFC 6147, section 5.5, paragraph 3, DNS64 synthesis MUST NOT be performed for queries with CD and DO flags (not to fool validating stub resolvers). Knot Resolver is not compliant with this requirement.

# dig ipv4only.arpa aaaa +cdflag +dnssec +short
64:ff9b::c000:aa
64:ff9b::c000:ab

Both BIND and Unbound DNS64 modules perform well:

# dig ipv4only.arpa aaaa +cdflag +dnssec +short
<empty>

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Admin message

DNS64 should not perform synthesis for queries with CD and DO flags