My understanding is that to check against an IPv6 address, an
ip6.arpa style entry is used with the DNSBL domain name appended, and
this is looked up - if an A record comes back the client is deemed to
be blacklisted, with an optional TXT field stating the reason.
I suspect one comment might be that in an IPv6-only environment, one
might prefer to use the presence of an AAAA record to determine
whether an IPv6 client is blacklisted or not.
This has come up before -- the A record isn't an address, it's a bit
mask or a group of bit fields, and the code that interprets it should
be the same regardless of whether the original lookup was for a v4
address, a v6 address, or a domain name.
Perhaps the discussion in Dublin that I caught half of was what IPv6
address to use in the AAAA record if one was used for IPv6 DNSxLs?
(where 127.0.0.2 is used for IPv4)
Right -- that's the incoming address, not the result. We need one
test address that is always listed, and one that is never listed,
ideally both from address ranges which like 127/8 should never appear
on an actual network.
In practise with IPv6 you will almost certainly want to list a whole /64
since in most situations a client can essentially pick any IPv6 address
from its onlink /64 to use.
Agreed. Existing DNSBLs either use specialized servers which use a
table of listed CIDR ranges to synthesize result records, or else
ordinary DNS wildcards, e.g., to list 192.168/16 you'd include
*.168.192.example.org. As far as I know, those both should be equally
doable with v6 addresses.
Asrg mailing list