Thoughts about ipv6 white listing
gbonser at seven.com
Sat Dec 4 11:21:15 CET 2010
Rather than taking a white listing approach to v6, I thought I might do
Configure an instance of named that is v6 only. That instance contains
both A and AAAA records. Register that DNS server in whois with a v6
address only. The instances of named running on v4 have a zone with
only A records.
Requests that arrive via v6 that request an AAAA resource are given one
if one is available.
Requests that arrive via v4 that request an AAAA resource are returned
This *should* greatly reduce the number of requests where a client
thinks it has v6 connectivity (has a local v6 LAN but no Internet v6 or
can't reach me via their provider) getting an AAAA resource that it
can't reach. The reasoning being that if they reached me by v6 to
request the resource, they can most likely also reach the resource
There will be a possibility where a client actually does have v6
Internet and can actually reach me but their DNS server is v4 only. I
am willing to force those cases to fall back to v4. This is sort of
self white listing where the client, if requesting by v6 for a v6
resource gets one and is likely to succeed in connecting. There is the
odd chance where the client has a v6 local net (ULA?) that is not
globally routable *and* has a properly configured v6 dns server where I
could get a v6 request that the client can't reach but my opinion is
that it is a corner case that *needs* to break so that it can be fixed.
Anyone else done anything like this?
More information about the ipv6-ops