Thoughts about ipv6 white listing

George Bonser gbonser at seven.com
Sat Dec 4 12:43:49 CET 2010


> 
> > If a client right now asks for an AAAA record, they get NOERROR and I
> > have a log full of such requests.
> 
> You mean to say that what you stated is something you already do?

Yes.  If someone connects to my DNS server and requests an AAAA resource for something that does not have one but has an A record, they get NOERRR.  Do an AAAA request for www.seven.com for example.


> 
> Did you document this somewhere so that people can actually find this
> behavior and for which sites this is. This as people with problems do
> google nowadays and will shout on twitter, better have your answer
> ready
> for everybody to find. (do list all domains involved)

Huh?  What are you talking about?  That is the *standard* behavior for a dns server.  Why should I document anything?  Everyone does that:

root at spare01:/var/lib/bind# dig AAAA www.google.com

; <<>> DiG 9.7.1-P2 <<>> AAAA www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58771



> 
> Except those people with good v6 connectivity, like me for instance,
> but
> who use a IPv4 DNS recursor, which can speak IPv6, won't get an AAAA
> record and are surprised they don't, while they could.

Right, then you would get a v4 record, just like you do today. No change.  When you get to a point where your recursive server is v6 capable, you will get the v6 resource.

> This while people who have broken IPv6 connectivity get an AAAA and it
> is still broken. Indeed no change at all.
> 
> Thus why are you trying to 'deploy' IPv6 again if you are actually not?
> There indeed won't be any change.

V6 will be deployed for people who have v6 and can request a v6 resource over v6.  The reason is very simple.  I don't have time to enter in white list entries for "joe's fish farm and Internet service".  If Joe's Fish Farm sends me a AAAA request that arrives over v6, I will honor it.  If Joe's Fish Farm sends me a request via v4, I am not sure of the state of their network so I am going to give them the "safe" response.

But for those who have their stuff together, v6 will work fine.





More information about the ipv6-ops mailing list