Thoughts about ipv6 white listing

Sat Dec 4 12:30:18 CET 2010

On 2010-12-04 11:58, George Bonser wrote:
[..]
>> Do note though that a LOT of people might not have IPv6 transport
>> in use for their IPv6 DNS server.
> 
> That is fine.  I am on a first pass willing to continue giving them a
> v4 address. That is no different than the situation is now and does
> not break
anything.

Except that people who have IPv4 on their side

>> Also, it might be that the recursive DNS server they are using
>> over IPv4 transport has IPv6 connectivity. As such the DNS request
>> comes in over IPv6 while the end user was using IPv4.
> 
> Then the end user would not have requested an AAAA record, it would
> have requested an A record.  If the client had no IPv6 it will not
> request an AAAA record.  If a request comes in on v6 for an A record,
> they will get the A record.
>
[interjected from follow-up mail]
> To clarify ... a request arriving on v6 can get an A or an AAAA
> record.
> 
> A request arriving on v4 will get only an A record.
> 
> Clients on v4 with a v6 dns server will show up asking for an A
> record over v6.  That request will be answered if there is an A
> record for the resource.
> 
> Clients on v6 with a v4 dns server will show up on v4 asking for an
> AAAA record.  That request will receive NOERROR and will fall back to
> v4
> 
> Clients on v6 with a v6 DNS server where the server can reach me but
> the client cannot reach me need to break so the problem can be fixed.

How is this different from just publish both A and AAAA ?

The client will not use the AAAA record when the connectivity is not
there and thus it won't hurt.

It will only hurt when connectivity is broken as per your last part.

Thus why try and come up with something which makes it hard to debug?

>> Can you see why this would be VERY horrible to troubleshoot?
> 
> No.

"I got IPv6 everywhere but I don't get a AAAA record back!"

so many reasons, most likely though because their intermediate DNS
recursor does not do IPv6.

Please, just either publish AAAA or do not.

> 
>> 
>> There are two major problems with IPv6 deployment at the moment: -
>> broken CPE/NAT boxes with build-in DNS recursors which drop AAAA 
>> queries (or anything they don't know for that matter). - broken
>> connectivity
> 
> Fine, then they will get the A record for the resource.  Not a
> problem.

In the first case they get the A record after timing out their AAAA.
This is indeed not a problem that anyone on the server side can fix.

Broken connectivity though, might mean they can do a AAAA request over
IPv6, or a AAAA over IPv4 to a recursor which does IPv6 to your DNS
server. They thus might end up getting a AAAA record but because of
broken connectivity (routing, MTU etc etc etc) they will not be able to
reach your site anymore.

Again, both cases nothing you can do about and trying to come up with a
split who does and who does not get AAAA records is not going to make
any difference there.

Either you publish AAAA or you don't.

The idea behind the whitelisting there is that the helpdesk of the
whitelisted organization can point the folks into the right direction
when trying to diagnose these issues. That is why it is not a half-bad
idea, it does not progress IPv6 though and again, difficult to figure
out why one is not getting an AAAA address.

On 2010-12-04 12:07, George Bonser wrote:
>>> Also, it might be that the recursive DNS server they are using
>>> over IPv4 transport has IPv6 connectivity. As such the DNS
>>> request comes in
>> over
>>> IPv6 while the end user was using IPv4.
>> 
>> Then the end user would not have requested an AAAA record, it
>> would have requested an A record.  If the client had no IPv6 it
>> will not request an AAAA record.  If a request comes in on v6 for
>> an A record, they will get the A record.
> 