Thoughts about ipv6 white listing
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sat Dec 4 13:31:08 CET 2010
On Sat, Dec 04, 2010 at 03:36:14AM -0800, George Bonser wrote:
>
>
> > Except that people who have IPv4 on their side
>
> No, a person who has v4 will see *exactly* the same behavior they see today. They will ask for an A record and they will receive an A record.
how are you SURE that a request for a AAAA record over v4 transport will never occur?
(since this has been common behaviour for at least a decade or more)
> >
> > How is this different from just publish both A and AAAA ?
>
> The v6 server *will* publish both A and AAAA
> The v4 server will publish only A
why do you suppose that the v6 instance can or should assume v4 reachability?
why is it handing out A records?
>
> The reason is that if a request arrives via IPv4, I cannot be sure of the state of the requestor behind that request. If an AAAA record request arrives by v6, at least I know that both the client *and* the dns server have v6 and if the server can reach me, most likely the client can too because both are on the same network. Again, this isnb t a website. This is a client/server application and the client does not live on a PC.
>
as the DNS server, you have no idea what the routing looks like (v4/v6) from
the client side. you are conflating transport and data... assuming that
transport has anything to do with the data being asked for. this will get you
into operational trouble. it did for me when I tried this in 2003. best results
seem to be handing back what was asked for, regardless of the transport used
by the query.
it is prudent to use the same transport the query used for your response. :)
--bill
More information about the ipv6-ops
mailing list