Re: [Asrg] For DNSBLs, embedded IPv4 in IPv6

[John Levine <asrg at johnlevine.com>]

>My understanding is that to check against an IPv6 address, an
>ip6.arpa style entry is used with the DNSBL domain name appended, and
>this is looked up - if an A record comes back the client is deemed to
>be blacklisted, with an optional TXT field stating the reason.

That's right.

>I suspect one comment might be that in an IPv6-only environment, one
>might prefer to use the presence of an AAAA record to determine
>whether an IPv6 client is blacklisted or not.

This has come up before -- the A record isn't an address, it's a bit
mask or a group of bit fields, and the code that interprets it should
be the same regardless of whether the original lookup was for a v4
address, a v6 address, or a domain name.

> Perhaps the discussion in Dublin that I caught half of was what IPv6
> address to use in the AAAA record if one was used for IPv6 DNSxLs?
> (where 127.0.0.2 is used for IPv4)

Right -- that's the incoming address, not the result.  We need one
test address that is always listed, and one that is never listed,
ideally both from address ranges which like 127/8 should never appear
on an actual network.

>In practise with IPv6 you will almost certainly want to list a whole /64
>since in most situations a client can essentially pick any IPv6 address
>from its onlink /64 to use.   

Agreed.  Existing DNSBLs either use specialized servers which use a
table of listed CIDR ranges to synthesize result records, or else
ordinary DNS wildcards, e.g., to list 192.168/16 you'd include
*.168.192.example.org.  As far as I know, those both should be equally
doable with v6 addresses.

R's,
John
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www.ietf.org/mailman/listinfo/asrg