[RPZ] Unwanted AAAA records; replace A with authoritative response

Paul Vixie vixie at isc.org
Thu Nov 3 20:39:55 UTC 2011 

On Wednesday, November 02, 2011 13:42:13 Jan-Piet Mens wrote:
> I've just been asked whether it would be possible to create an RPZ which
> hides broken (for any definition of broken) IPv6 sites. My solution is
> to create a record for the site with a corresponding A answer so that
> BIND replies there is no AAAA
> 
>         jpmens.net.rpz-net.  A  95.143.172.12
> 
> That works well enough with BIND 9.9.0a3, but it means records need to
> be populated with the A addresses.

this is a really terrible idea, for the reasons vjs described.

> Is there some trick to have the original authoritative A response
> returned instead of manually adding it to the RPZ zone? Something like
> 
>         jpmens.net.rpz-net.  A  *
> 
> I've tried that, but BIND correctly complains about an incorrect
> address :)

to the extent that you're willing to do the inventory control work of finding 
out who is advertising AAAA's that make their services less reachable, your 
highest-leverage goal would be: telling these folks to fix their IPv6 or to 
douse their AAAA until they've fixed their IPv6.

but i suspect that in many cases the inability to reach someone's IPv6 service 
will be pairwise rather than sourcewise or destinationwise. that is, the 
people whose IPv6 services you can't reach might well be reachable by many 
others besides you, and you might be able to reach many other IPv6 services 
besides that one. here, the purist answer is the same, spend your time fixing 
the pairwise problems. but, the case can definitely be made that using RPZ as 
a form of "DNS whiteout" would improve services. the danger is that the RPZ 
data becomes stale, and is still in use many years after the pairwise problems 
have been repaired. (UUCP path reoptimizers, i'm looking at *you*.)

the "happy eyeballs" folks have been working hard in this specific area:

http://tools.ietf.org/html/draft-ietf-v6ops-happy-eyeballs-05

i think the approaches described in that draft are better than "DNS whiteout".

paul

More information about the DNSfirewalls mailing list