Thoughts about ipv6 white listing
Jeroen Massar
jeroen at unfix.org
Sat Dec 4 11:47:47 CET 2010
On 2010-12-04 11:21, George Bonser wrote:
[..]
> Requests that arrive via v4 that request an AAAA resource are returned
> NXDOMAIN
I do hope you mean NOERROR otherwise you kill off any other queries too.
Eg for that "A" record which seems to be quite popular...
Do note though that a LOT of people might not have IPv6 transport in use
for their IPv6 DNS server.
Also, it might be that the recursive DNS server they are using over IPv4
transport has IPv6 connectivity. As such the DNS request comes in over
IPv6 while the end user was using IPv4.
Can you see why this would be VERY horrible to troubleshoot?
In short: either publish A + AAAA on the same set of servers or just
forget about it.
There are two major problems with IPv6 deployment at the moment:
- broken CPE/NAT boxes with build-in DNS recursors which drop AAAA
queries (or anything they don't know for that matter).
- broken connectivity
Both cases, nothing you can work around, only thing one can do is get
the end user to fix them and as long as they don't notice, they won't know.
A proper test like http://netalyzr.icsi.berkeley.edu/ is the only way to
figure them out, but users who are not technical enough will never go
there of course. This is where ISP helpdesks come in and it would be
nice if the various search engines would have a proper answer to these
questions instead of pointing to clueless answers like "disable IPv6"
which seem pre-dominant. Unfortunately nothing much anybody can do about.
Greets,
Jeroen
More information about the ipv6-ops
mailing list