Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?

[Olafur Gudmundsson <ogud@ogud.com>]

Ted, 

While this will not work with DNSSEC there is no "serious harm" in doing this. 
basically they are saying "deny existence of AAAA". 
which is fine if they want traffic to go via V4 only, the same technique can be used 
to migrate traffic to v6. 

I see no DNS harm in doing this, as a matter of fact this is better than just blocking the connections. 

just my take on the issue, in my liberal old days. 

	Olafur

On Jul 9, 2013, at 9:18 AM, Ted Lemon <Ted.Lemon@nominum.com> wrote:

> On Jul 5, 2013, at 2:00 PM, Ted Lemon <Ted.Lemon@nominum.com> wrote:
>>  For this reason, networks attempting to prevent IPv6 traffic from
>>  traversing their devices should consider configuring their local
>>  recursive DNS servers to respond to queries for AAAA DNS records with
>>  a DNS RCODE of 0 (NOERROR) [RFC1035] or to silently ignore such
>>  queries, and should even consider filtering AAAA records at the
>>  network ingress point to prevent the internal hosts from attempting
>>  their own DNS resolution.  This will ensure that hosts which are on
>>  an IPv4-only network will only receive DNS A records, and they will
>>  be unlikely to attempt to use (likely broken) IPv6 connectivity to
>>  reach their desired destinations.
> 
> So, nobody is going to object to the above text, aside from calling it "dumbass?"   I hear people complaining on dnsop all the time about middleboxes doing stuff like this; are we going to codify it in an RFC?
> 
> _______________________________________________
> dns-dir mailing list
> dns-dir@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-dir