<div dir="ltr">Hi folks,<div><br></div><div>I recently received a issue which I would like to use RPZ to resolve , but I'm not sure RPZ fits this situation. I put this in following txt. It's appriciated if anyone can give me some clue on this.</div><div><p class="gmail-MsoPlainText"><span lang="EN-US">* Background </span></p>
<p class="gmail-MsoPlainText"><span lang="EN-US">A lots websites using CDN to replicate
their content and make it close to their users. </span>It's a common tool to promote their
users' experience. However, when it comes to updating website to support IPv6,
there is a mismatch between websites and their CDNs.</p>
<p class="gmail-MsoPlainText"><span lang="EN-US"> </span>There is a case that some advanced
websites update their DNS and Web servers to support IPv6. But most of CDNS (or their long-term
CDNs) are not ready for IPv6, which means these CDNs' authoritative server has not answer to
AAAA query. Once there is a cname in the zone, there is no room for AAAA to be
added into the domain of that website. It is a dilemma for website operators to
choose, either postpone their IPv6 plan or give up using CDNs.</p>
<p class="gmail-MsoPlainText"><span lang="EN-US">Note: choosing another IPv6 enabled CDN
is out of the scope of this draft.</span></p>
<p class="gmail-MsoPlainText"><span lang="EN-US">* The proposal</span></p>
<p class="gmail-MsoPlainText"><span lang="EN-US">The intuitive idea to this problem is to
hack the website's DNS system to break cname context and add a AAAA to that
zone. It is expected to response a IPv6 address to AAAA type query. </span></p><p class="gmail-MsoPlainText">A lighter approach is to put a proxy or
dnsdist in front of the authoritative server to respond as it is desired.</p>
<p class="gmail-MsoPlainText"><span lang="EN-US"> </span>A more nature way is to harness the
existing RPZ(Response Policy Zone) to accommodate the requirement base on the
local policy. The local policy is that if the response return only a cname to
AAAA type query, the server should response with a configured AAAA record.</p>
<p class="gmail-MsoPlainText"><span lang="EN-US">* Issues using RPZ (my personal
experience)</span></p>
<p class="gmail-MsoPlainText"><span lang="EN-US">By searching the RPZ configuration
rules, there is only a trigger: IP Trigger which operates on the answer section
to an A/AAAA query. But that trigger is perform exactly on the IPv4/IPv6
address contained as a answer of a DNS response. There is no trigger in RPZ
reacting perfectly according to the proposal.</span></p><p class="gmail-MsoPlainText"><span lang="EN-US">Best regards,<br></span>Davey</p></div></div>