ietf-asrg
[Top] [All Lists]

Re: [Asrg] For DNSBLs, embedded IPv4 in IPv6

2008-08-04 07:20:35
My understanding is that to check against an IPv6 address, an
ip6.arpa style entry is used with the DNSBL domain name appended, and
this is looked up - if an A record comes back the client is deemed to
be blacklisted, with an optional TXT field stating the reason.

That's right.

I suspect one comment might be that in an IPv6-only environment, one
might prefer to use the presence of an AAAA record to determine
whether an IPv6 client is blacklisted or not.

This has come up before -- the A record isn't an address, it's a bit
mask or a group of bit fields, and the code that interprets it should
be the same regardless of whether the original lookup was for a v4
address, a v6 address, or a domain name.

Perhaps the discussion in Dublin that I caught half of was what IPv6
address to use in the AAAA record if one was used for IPv6 DNSxLs?
(where 127.0.0.2 is used for IPv4)

Right -- that's the incoming address, not the result.  We need one
test address that is always listed, and one that is never listed,
ideally both from address ranges which like 127/8 should never appear
on an actual network.

In practise with IPv6 you will almost certainly want to list a whole /64
since in most situations a client can essentially pick any IPv6 address
from its onlink /64 to use.   

Agreed.  Existing DNSBLs either use specialized servers which use a
table of listed CIDR ranges to synthesize result records, or else
ordinary DNS wildcards, e.g., to list 192.168/16 you'd include
*.168.192.example.org.  As far as I know, those both should be equally
doable with v6 addresses.

R's,
John
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg