ietf-asrg
[Top] [All Lists]

Re: [Asrg] For DNSBLs, embedded IPv4 in IPv6

2008-08-04 06:41:42
On Mon, Aug 04, 2008 at 01:01:55PM -0000, John Levine wrote:
Someone pointed out that in some popular dual stack systems,
connections from IPv4 addresses appear as IPv6 addresses
in :FFFF:0000:0000/96

Could someone explain why a DNSBL needs to return IPV6 addresses?

I don't know anyone who thinks that a DNSBL should return anything
other than A and TXT records.  What leads you to believe otherwise?

My background is someone who has been running IPv6 (dual-stack) for 
quite a while in an enterprise, whose site has a history in producing
open source anti-spam solutions, and who 'stumbled' into the ASRG meeting
in Dublin after it started :)     It seems there are some questions 
about IPv6 for which I haven't quite yet done the context switch.

My understanding is that to check against an IPv6 address, an ip6.arpa
style entry is used with the DNSBL domain name appended, and this is 
looked up - if an A record comes back the client is deemed to be blacklisted,
with an optional TXT field stating the reason. 

I suspect one comment might be that in an IPv6-only environment, one
might prefer to use the presence of an AAAA record to determine whether 
an IPv6 client is blacklisted or not.    Perhaps the discussion in Dublin 
that I caught half of was what IPv6 address to use in the AAAA record 
if one was used for IPv6 DNSxLs? (where 127.0.0.2 is used for IPv4)

In practise with IPv6 you will almost certainly want to list a whole /64
since in most situations a client can essentially pick any IPv6 address
from its onlink /64 to use.   

-- 
Tim
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg