2981. [func] Partial DNS64 support (AAAA synthesis). [RT #21991]

CHANGES

+2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
+
 2980.	[bug]		named didn't properly handle UPDATES that changed the
 			TTL of the NSEC3PARAM RRset. [RT #22363]
 

bin/named/include/named/query.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.42 2010/09/24 08:31:23 tbox Exp $ */
+/* $Id: query.h,v 1.43 2010/12/08 02:46:15 marka Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -27,6 +27,7 @@
 #include <isc/netaddr.h>
 
 #include <dns/types.h>
+#include <dns/rdataset.h>
 
 #include <named/types.h>
 
@@ -57,6 +58,12 @@ struct ns_query {
 	isc_bufferlist_t		namebufs;
 	ISC_LIST(ns_dbversion_t)	activeversions;
 	ISC_LIST(ns_dbversion_t)	freeversions;
+	dns_rdataset_t *		dns64_aaaa;
+	dns_rdataset_t *		dns64_sigaaaa;
+	isc_boolean_t *			dns64_aaaaok;
+	unsigned int			dns64_aaaaoklen;
+	unsigned int			dns64_options;
+	unsigned int			dns64_ttl;
 };
 
 #define NS_QUERYATTR_RECURSIONOK	0x0001
@@ -73,6 +80,9 @@ struct ns_query {
 #define NS_QUERYATTR_NOADDITIONAL	0x0800
 #define NS_QUERYATTR_CACHEACLOKVALID	0x1000
 #define NS_QUERYATTR_CACHEACLOK		0x2000
+#define NS_QUERYATTR_DNS64		0x4000
+#define NS_QUERYATTR_DNS64EXCLUDE	0x8000
+
 
 isc_result_t
 ns_query_init(ns_client_t *client);

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.587 2010/12/02 23:22:41 marka Exp $ */
+/* $Id: server.c,v 1.588 2010/12/08 02:46:15 marka Exp $ */
 
 /*! \file */
 
@@ -63,6 +63,7 @@
 #ifdef DLZ
 #include <dns/dlz.h>
 #endif
+#include <dns/dns64.h>
 #include <dns/forward.h>
 #include <dns/journal.h>
 #include <dns/keytable.h>
@@ -1356,6 +1357,7 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	isc_boolean_t zero_no_soattl;
 	cfg_parser_t *newzones_parser = NULL;
 	cfg_obj_t *nzfconf = NULL;
+	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1618,6 +1620,89 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	INSIST(result == ISC_R_SUCCESS);
 	zero_no_soattl = cfg_obj_asboolean(obj);
 
+	obj = NULL;
+	result = ns_config_get(maps, "dns64", &obj);
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
+	    strcmp(view->name, "_meta")) {
+		const cfg_listelt_t *element;
+		isc_netaddr_t na, suffix, *sp;
+		unsigned int prefixlen;
+
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *map = cfg_listelt_value(element);
+			dns_dns64_t *dns64 = NULL;
+			unsigned int dns64options = 0;
+
+			cfg_obj_asnetprefix(cfg_map_getname(map), &na,
+					    &prefixlen);
+
+			obj = NULL;
+			(void)cfg_map_get(map, "suffix", &obj);
+			if (obj != NULL) {
+				sp = &suffix;
+				isc_netaddr_fromsockaddr(sp,
+						      cfg_obj_assockaddr(obj));
+			} else
+				sp = NULL;
+			
+			clients = mapped = excluded = NULL;
+			obj = NULL;
+			(void)cfg_map_get(map, "clients", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &clients);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "mapped", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &mapped);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "exclude", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &excluded);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+
+			obj = NULL;
+			(void)cfg_map_get(map, "recursive-only", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj))
+				dns64options |= DNS_DNS64_RECURSIVE_ONLY;
+
+			obj = NULL;
+			(void)cfg_map_get(map, "break-dnssec", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj))
+				dns64options |= DNS_DNS64_BREAK_DNSSEC;
+			
+			result = dns_dns64_create(mctx, &na, prefixlen, sp,
+						  clients, mapped, excluded,
+						  dns64options, &dns64);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_dns64_append(&view->dns64, dns64);
+			view->dns64cnt++;
+			if (clients != NULL)
+				dns_acl_detach(&clients);
+			if (mapped != NULL)
+				dns_acl_detach(&mapped);
+			if (excluded != NULL)
+				dns_acl_detach(&excluded);
+		}
+	}
+	
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -2518,6 +2603,12 @@ configure_view(dns_view_t *view, cfg_parser_t* parser,
 	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (clients != NULL)
+		dns_acl_detach(&clients);
+	if (mapped != NULL)
+		dns_acl_detach(&mapped);
+	if (excluded != NULL)
+		dns_acl_detach(&excluded);
 	if (ring != NULL)
 		dns_tsigkeyring_destroy(&ring);
 	if (zone != NULL)

bin/tests/system/conf.sh.in

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.53 2010/12/07 02:53:33 marka Exp $
+# $Id: conf.sh.in,v 1.54 2010/12/08 02:46:15 marka Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -53,7 +53,7 @@ JOURNALPRINT=$TOP/bin/tools/named-journalprint
 # load on the machine to make it unusable to other users.
 # v6synth
 SUBDIRS="acl allow_query addzone autosign cacheclean checkconf checknames
-    dlv @DLZ_SYSTEM_TEST@ dnssec forward glue ixfr limits lwresd
+    dlv @DLZ_SYSTEM_TEST@ dns64 dnssec forward glue ixfr limits lwresd
     masterfile masterformat metadata notify nsupdate pending pkcs11
     resolver rrsetorder sortlist smartsign stub tkey unknown upforwd
     views xfer xferquota zonechecks"

bin/tests/system/dns64/clean.sh

+#!/bin/sh
+
+
+rm -f ns1/K*
+rm -f ns1/signed.db*
+rm -f ns1/dsset-signed.

bin/tests/system/dns64/ns1/example.db

+; Copyright
+$TTL	3600
+@	SOA ns1 marka.isc.org. 0 0 0 0 1200
+@	NS ns1
+ns1	A	10.53.0.1
+excluded-good-a	AAAA	2001:eeee::1
+		A	1.2.3.4
+excluded-bad-a	AAAA	2001:eeee::2
+		A	10.0.0.1
+excluded-only	AAAA	2001:eeee::3
+partially-excluded-good-a	AAAA	2001:eeee::1
+		AAAA	2001::1
+		A	1.2.3.4
+partially-excluded-bad-a	AAAA	2001:eeee::2
+		AAAA	2001::2
+		A	10.0.0.1
+partially-excluded-only	AAAA	2001:eeee::3
+		AAAA	2001::3
+a-only		A	1.2.3.5
+a-and-aaaa	AAAA	2001::1
+		A	1.2.3.6
+aaaa-only	AAAA	2001::2
+a-not-mapped	A	10.0.0.2
+mx-only		MX	10 ns.example.
+cname-excluded-good-a CNAME excluded-good-a
+cname-excluded-bad-a CNAME excluded-bad-a
+cname-excluded-only CNAME excluded-only
+cname-partial-excluded-good-a CNAME partial-excluded-good-a
+cname-partial-excluded-bad-a CNAME partial-excluded-bad-a
+cname-partial-excluded-only CNAME partial-excluded-only
+cname-a-only CNAME a-only
+cname-a-and-aaaa CNAME a-and-aaaa
+cname-aaaa-only CNAME aaaa-only
+cname-a-not-mapped CNAME a-not-mapped
+cname-mx-only CNAME mx-only
+cname-non-existent CNAME non-existent

bin/tests/system/dns64/ns1/named.conf

+/*
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2010/12/08 02:46:15 marka Exp $ */
+
+// NS1
+
+controls { /* empty */ };
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	allow-recursion { 10.53.0.1; };
+	notify yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+	dns64 2001:bbbb::/96 {
+                clients { any; };
+                mapped { !rfc1918; any; };
+                exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+		recursive-only yes;
+        };
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+};
+
+zone "signed" {
+	type master;
+	file "signed.db.signed";
+};
+
+// include "trusted.conf";

bin/tests/system/dns64/ns1/root.db

+; Copyright
+$TTL 3600
+@		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
+@		NS	a.root-servers.nil.
+a.root-servers.nil.      A   10.53.0.1
+example 	NS	ns1.example.
+ns1.example.	A	10.53.0.1
+signed		NS	ns1.example.
+ns1.signed.	A	10.53.0.1

bin/tests/system/dns64/ns1/sign.sh

+#!/bin/sh -e
+#
+# Copyright (C) 2004, 2006-2010  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2 2010/12/08 02:46:16 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=signed
+infile=example.db
+zonefile=signed.db
+
+key1=`$KEYGEN -q -r $RANDFILE $zone`
+key2=`$KEYGEN -q -r $RANDFILE -fk $zone`
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null

bin/tests/system/dns64/ns2/named.conf

+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2010/12/08 02:46:16 marka Exp $ */
+
+// NS2
+
+controls { /* empty */ };
+
+acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	dnssec-enable yes;
+	dnssec-validation yes;
+
+        dns64 2001:aaaa::/96 {
+                clients { 10.53.0.2; };
+                mapped { !rfc1918; any; };
+                exclude { 2001:eeee::/32; 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+
+        dns64 64:FF9B::/96 {
+                clients { 10.53.0.1; };
+                mapped { !192.228.79.201; !rfc1918; any; };
+                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};

bin/tests/system/dns64/setup.sh

+#!/bin/sh -e
+#
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2 2010/12/08 02:46:15 marka Exp $
+
+../../../tools/genrandom 400 random.data
+
+sh clean.sh
+
+cd ns1 && sh sign.sh

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.465 2010/09/21 19:47:57 ebersman Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.466 2010/12/08 02:46:16 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
@@ -5120,6 +5120,14 @@ badresp:1,adberr:0,findfail:0,valfail:0]
     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
     <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
     <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> dns64 <replaceable>IPv6-prefix</replaceable> {
+	<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
+	<optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
+        <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
+	<optional> suffix IPv6-address; </optional>
+	<optional> recursion-only <replaceable>yes_or_no</replaceable>; </optional>
+	<optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional>
+    }; </optional>;
     <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
     <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
     <optional> max-udp-size <replaceable>number</replaceable>; </optional>
@@ -5710,6 +5718,63 @@ options {
             </listitem>
           </varlistentry>
+	  <varlistentry>
+	    <term><command>dns64</command></term>
+            <listitem>
+	      <para>
+		This directive instructs <command>named</command> to
+		return mapped IPv4 addresses to AAAA queries when
+		there are no AAAA records.  It is intended to be
+		used in conjunction with a NAT64.  Each
+		<command>dns64</command> defines one DNS64 prefix.
+		Multiple DNS64 prefixes can be defined.
+	      </para>
+	      <para>
+		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
+		64 and 96 as per RFC 6052.
+	      </para>
+	      <para>
+		Each <command>dns64</command> supports a optional
+		<command>clients</command> acl which defines which clients
+		see this directive.  If not defined it defaults to
+		<userinput>any;</userinput>.
+	      </para>
+	      <para>
+		Each <command>dns64</command> supports a optional
+		<command>mapped</command> acl which selects which
+		IPv4 addresses are to be mapped are in the corresponding	
+		A RRset.  If not defined it defaults to
+		<userinput>any;</userinput>.
+	      </para>
+	      <para>
+		Each <command>dns64</command> supports a optional
+		<command>exclude</command> acl which selects which
+		IPv6 addresses will be ignored for the purposes
+		of determining if dns64 is to be applied.  Any
+		non matching address will prevent any further
+		DNS64 processing from occuring for this client.
+	      </para>
+	      <para>
+		A optional <command>suffix</command> can also
+		be defined to set the bits trailing the mapped
+		IPv4 address bits.  By default these bits are
+		set to <userinput>::</userinput>.  The bits
+		matching the prefix and mapped IPv4 address
+		must be zero.
+	      </para>
+<programlisting>
+	acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+        dns64 64:FF9B::/96 {
+                clients { any; };
+                mapped { !rfc1918; any; };
+                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+</programlisting>
+            </listitem>
+	  </varlistentry>
+
         </variablelist>
         <sect3 id="boolean_options">

doc/misc/options

@@ -100,6 +100,14 @@ options {
         directory <quoted_string>;
         disable-algorithms <string> { <string>; ... };
         disable-empty-zone <string>;
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        };
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;
@@ -303,6 +311,14 @@ view <string> <optional_class> {
         dlz <string> {
                 database <string>;
         };
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        };
         dnssec-accept-expired <boolean>;
         dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.120 2010/08/11 18:14:19 each Exp $ */
+/* $Id: check.c,v 1.121 2010/12/08 02:46:16 marka Exp $ */
 
 /*! \file */
 
@@ -418,6 +418,106 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+static const unsigned char zeros[16];
+
+static isc_result_t
+check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	    const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *dns64 = NULL;
+	const cfg_obj_t *options;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *map, *obj;
+	isc_netaddr_t na, sa;
+	unsigned int prefixlen;
+	int nbytes;
+	int i;
+
+	static const char *acls[] = { "client", "exclude", "mapped", NULL};
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "dns64", &dns64);
+	if (config != NULL && dns64 == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "dns64", &dns64);
+	}
+	if (dns64 == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(dns64);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		map = cfg_listelt_value(element);
+		obj = cfg_map_getname(map);
+
+		cfg_obj_asnetprefix(obj, &na, &prefixlen);
+		if (na.family != AF_INET6) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "dns64 requires a IPv6 prefix");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+		
+		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
+		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "bad prefix length %u [32/40/48/56/64/96]",
+				    prefixlen);
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		for (i = 0; acls[i] != NULL; i++) {
+			obj = NULL;
+			(void)cfg_map_get(map, acls[i], &obj);
+			if (obj != NULL) {
+				dns_acl_t *acl = NULL;
+				isc_result_t tresult;
+
+				tresult = cfg_acl_fromconfig(obj, config,