filter-a and dns64 in a ipv6-only network
Mark Andrews
marka at isc.org
Mon Jan 30 22:12:53 UTC 2023
Do you want a correctly operating DNS64 server or do you want to filter
all A records? They are mutually exclusive requirements. Please read
RFC 6147 to understand why they are mutually exclusive.
IPv6-only means that the IP packets being sent and received are only IPv6
packets for the thing (node, network) that is being described as IPv6-only.
You seem to have this strange notion that to run an IPv6-only node or
network that you need to filter out A records. Could you tell me who or
what told you this was required?
Mark
> On 31 Jan 2023, at 06:01, Thomas Schäfer <tschaefer at t-online.de> wrote:
>
> Hi,
>
> I use tumbleweed for testing, since compiling bind is hard(at least for me).
>
> bind version: 9.18.11
>
> options {....
>
> dns64 64:ff9b::/96 {
> clients { any; };
> recursive-only yes;
> mapped { !10/8; any; };
> };
>
> };
>
> plugin query "filter-a.so" {
> filter-a-on-v6 break-dnssec;
> filter-a-on-v4 break-dnssec;
> filter-a { ::/0 ; };
> };
>
> My test setup is intended to be ipv6-only. Please don't try to convince me,
> that clat would be better.
> (https://lists.isc.org/mailman/htdig/bind-users/2022-March/105826.html) I
> don't want IPv4 at all.
>
> The first line of the man page says:
> "filter-a - filter A in DNS responses when AAAA is present"
>
> and here starts my problem: dns64 generates an AAAA-Record, but the plugin
> filter-a expects an real AAAA-response. In the end a isn't filtered.
>
>
> Example with real aaaa-record
> host ct.de ::1
> Using domain server:
> Name: ::1
> Address: ::1#53
> Aliases:
>
> ct.de has IPv6 address 2a02:2e0:3fe:1001:302::
> ct.de mail is handled by 50 secondarymx.heise.de.
> ct.de mail is handled by 10 relay.heise.de.
>
> Example with synthesized aaaa-record
>
> host sz.de ::1
> Using domain server:
> Name: ::1
> Address: ::1#53
> Aliases:
>
> sz.de has address 195.50.177.61
> sz.de has IPv6 address 64:ff9b::c332:b13d
> sz.de has IPv6 address 64:ff9b::c332:b13d
> sz.de mail is handled by 50 sz-de.mail.protection.outlook.com.
>
>
> How can I achieve to remove a-records at any time?
>
>
> Regards,
> Thomas
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list