filter-a and dns64 in a ipv6-only network

Mark Andrews marka at isc.org
Mon Jan 30 22:12:53 UTC 2023 

Do you want a correctly operating DNS64 server or do you want to filter
all A records?  They are mutually exclusive requirements.  Please read
RFC 6147 to understand why they are mutually exclusive.

IPv6-only means that the IP packets being sent and received are only IPv6
packets for the thing (node, network) that is being described as IPv6-only.

You seem to have this strange notion that to run an IPv6-only node or
network that you need to filter out A records. Could you tell me who or
what told you this was required?

Mark

> On 31 Jan 2023, at 06:01, Thomas Schäfer <tschaefer at t-online.de> wrote:
> 
> Hi,
> 
> I use tumbleweed for testing, since compiling bind is hard(at least for me).
> 
> bind version: 9.18.11
> 
> options {....
> 
>    dns64 64:ff9b::/96 {
>        clients { any; };
>        recursive-only yes;
>        mapped { !10/8; any; };
>    };
> 
> };
> 
>    plugin query "filter-a.so" {
>                  filter-a-on-v6 break-dnssec;
>                  filter-a-on-v4 break-dnssec;
>                  filter-a { ::/0 ; };
>    };
> 
> My test setup is intended to be ipv6-only. Please don't try to convince me, 
> that clat would be better. 
> (https://lists.isc.org/mailman/htdig/bind-users/2022-March/105826.html) I 
> don't want IPv4 at all.
> 
> The first line of the man page says:
> "filter-a - filter A in DNS responses when AAAA is present"
> 
> and here starts my problem: dns64 generates an AAAA-Record, but the plugin 
> filter-a expects an real AAAA-response. In the end a isn't filtered.
> 
> 
> Example with real aaaa-record
> host ct.de ::1
> Using domain server:
> Name: ::1
> Address: ::1#53
> Aliases: 
> 
> ct.de has IPv6 address 2a02:2e0:3fe:1001:302::
> ct.de mail is handled by 50 secondarymx.heise.de.
> ct.de mail is handled by 10 relay.heise.de.
> 
> Example with synthesized aaaa-record
> 
> host sz.de ::1
> Using domain server:
> Name: ::1
> Address: ::1#53
> Aliases: 
> 
> sz.de has address 195.50.177.61
> sz.de has IPv6 address 64:ff9b::c332:b13d
> sz.de has IPv6 address 64:ff9b::c332:b13d
> sz.de mail is handled by 50 sz-de.mail.protection.outlook.com.
> 
> 
> How can I achieve to remove a-records at any time?
> 
> 
> Regards,
> Thomas
> 
> 
> 
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list