Thoughts about ipv6 white listing
Tore Anderson
tore.anderson at redpill-linpro.com
Sat Dec 4 17:25:24 CET 2010
Hi,
* Gert Doering
> On Sat, Dec 04, 2010 at 11:47:47AM +0100, Jeroen Massar wrote:
>> There are two major problems with IPv6 deployment at the moment:
>> - broken CPE/NAT boxes with build-in DNS recursors which drop AAAA
>> queries (or anything they don't know for that matter).
>
> Which is a problem completely independent from the server side -
> these boxes will drop the queries no matter whether the server is
> publishing any, so it's not overly useful to worry about them when
> deciding whether to publish an AAAA record or not.
Actually, some HGW boxes have bugs in their DNS forwarders that will
only be exposed by AAAA records being present. For example, certain
D-Link models (at least DSL-584T, DSL-G664T, and DSL-G684T; there's
probably more) will send an A response to the stub resolver using the
first 32 bits of the IPv6 address returned from its upstream resolver.
If on the other hand there's no AAAA records present, the correct IPv4
address is returned.
If you ask such a box for the A and AAAA records of e.g. comcast6.net,
you'll get back 32.1.5.88 and 2001:558:1002:5:68:87:64:48, respectively.
Of course, the proposal being made here will not at all prevent such
bugs from being exposed, since the upstream resolvers might use IPv6 to
contact the authoritative name servers anyway.
BR,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27
More information about the ipv6-ops
mailing list