I wrote:
| Consider the IPv6 [SELECT] draft -- if you have an algorithm in
| your host which allows only "kid-safe" connections (e.g., if you get
| back several AAAA RRs, discard any that are not "kid-safe") -- then
| you can connect to the "www.disney.com" servers (and they to you),
| but not to the "www.veryhotsexnow.com" ones, since either they
| would not have AAAA RRs in the first place, or those addresses
| would not be reachable on the Internet.
I meant:
Send packets outbound ONLY to addresses in the "kid-safe" TLA,
which is easy (maintain only one route). Discarding "non-kid-safe" AAAA RRs
is an optimization.
A DNS lookup of "www.veryhotsexnow.com" might not resolve at all,
or might resolve to a basket of AAAA RRs, none of which is in the
"kid-safe" space. In the event the DNS admins of "veryhotsexnow.com"
are clever and _lie_ in their response, traffic from you will not
flow to the right place, unless they somehow subvert the routing system.
However, a DNS lookup of "www.disney.com" likely would resolve
to a basket of AAAA RRs, one of which likely would be in the "kid-safe" TLA.
As the host can only connect to that AAAA RR, discarding the others
makes sense to avoid long connect timeouts.
One can even imagine the first-hop ISP imposing filters to frustrate
clever children who might otherwise work around any protection mechanism
in the host itself. It only takes disallowing IPv6 traffic to the host
from any TLA other than the "kid-safe" one.
Incidentally, this sort of thing reveals to me the stark horror of
NAT in an IPv6 Internet -- a misfiring rewrite rule could expose innocent
children to shocking content their parents may not be equipped to explain.
Sean.