On Tue, Jul 29, 2008 at 02:43:37AM +0200, Frank Ellermann wrote
Walter Dnes wrote:
- If a server gets a query via IPV4, it should return an A record
- If a server gets a query via IPV6, it should return an AAAA record
That's IMO a bit exaggerated, DNSBLs in essence (ab)use one IPv4
127.0.0.2 to signal "listed". Extended to 127/8, maybe avoiding
127/31, to indicate also some kind of reason, e.g. defining sets
for the up to 32-8 (or 32-8-1) "free" bits in this range.
This is a case of "everything you know is wrong", because there are
fundamental differences between IPV4 and IPV6. In short, *** IPV6 DOES
NOT HAVE ANYTHING EQUIVALANT TO IPV4's 127.0.0.0/8 address range ***.
It's true that IPV6 ::1 is the functional equivalant of IPV4's
127.0.0.1. But unlike IPV4, which devotes 16 million addresses to
"this machine", IPV6 allocates only 1 address to "this machine". Given
that IPV6 doesn't have such a range, I suggested using the
RFC1918-equivalent range fc00:: /7 instead. It's sort of like
192.168.0.0 /16, but with a lot more room.
An open question is which IPv6 could be used as test entry, to
check that a DNSBL is alive and supporting IPv6. The draft has
it clear that ::1 MUST NOT be listed (like 127.0.0.1), that is
good to find maniacs suddenly listing "the world" (it happened).
::1 is *NOT* part of a "this machine" address range, because there
ain't no such animal in IPV6. Don't assume that you can play fast and
loose with 16 million addresses in the range ::0 to ::FF:FF:FF:FF.
This doesn't exclude the possibility of using ::2 as a test address.
I feel that meta-data/control-data should be "out-of-band" from actual
data. Not only should the submitted address be out-of-band, so should
the result. Again, I suggest checking with the official IPV6 gurus, as
to which addresses we can safely use.
The draft proposes (or proposed if John changed it) to use ::2
as test entry (like 127.0.0.2). I wasn't sure if this is as it
should be, and proposed ::FFFF:127.0.0.2 (as the always listed
IPv6 test entry).
We don't know what will happen with that range once IPV4 goes away.
and why restrict ourselves to 24 bits, anyways?
DNSBLs don't need more "reason codes" than 127/8 (minus 127/31
in my parallel universe, but that is not a part of the draft).
That attitude is what got us into this mess in the first place. If
CIDRs and NAT had been used from day 1, we'd be another few years from
running out of addresses.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg