IPv6 woes - RFC

• Previous message (by thread): IPv6 woes - RFC
• Next message (by thread): IPv6 woes - RFC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Grant Taylor via NANOG <nanog at nanog.org> writes:

> Hi Toke,
>
> On 9/5/21 3:07 PM, Toke Høiland-Jørgensen via NANOG wrote:
>> Well, that's what I used to do back when I didn't have native v6 and 
>> ran into this issue: block v6 at the DNS level. I.e., simply filter 
>> out all AAAA records for offending service providers. Pretty simple 
>> to setup on your home router (it's usually one or a few TLDs per 
>> service provider).
>
> I agree that it's not hard to disable AAAA resolution for ... obstinate 
> domains.  However, as you say, doing so means breaking DNSSEC more and 
> more often.  Of course it's possible to do that, but it's now a second 
> thing that's being done per obstinate domain.  :-(
>
> I've considered null routing / rejecting IPv6 traffic to prefixes 
> associated with the obstinate domains, but that's not really a set it 
> and forget it thing.  Especially if ~> when the obstinate domains use 
> shared hosting thus bring collateral damage into the mix.  And yet 
> another (3rd) hack ~> workaround.  :-(
>
>> It does fail if your clients do DNSSEC validation, but if you do that 
>> at the router (or not at all) it should just work :)
>
> Ya.  I've been doing the DNSSEC validation on the LAN local recursive 
> DNS server for this reason.

Yup, me too :)

>> And yeah, it's an ugly hack that really shouldn't be necessary,
>
> Yep.  How many ugly hacks does it take before one starts questioning if 
> said ugly hack(s) is (are) the proper thing to do?

Well, I come from a software background, so in my world the whole thing
is held together by duct tape and string anyway ;)

And while I can agree in principle, the nice thing about hacks is that
you can actually get those to *work*, whereas tilting at windmills to
get providers to do the right thing is much harder. So ideally you could
do both: deploy the hack(s) while waiting to get the proper fix deployed
a decade or two from now...

>> but I found it worked quite well back when I used it (a handful of 
>> years ago or so), and it keeps IPv6 active and working for everything 
>> else...
>
> If you're willing to (break) deal with DNSSEC, yes it does work.
>
>> Another solution that I've used on occasion is to do your own 
>> tunnelling: find a hosting provider that can provide you a VPS 
>> with a v6 prefix and do your own tunnelling to that. This works by 
>> virtue of being "under the radar" of the service providers that do 
>> this kind of broken filtering, providing you can find a VPS provider 
>> whose prefixes are not blacklisted for some other reason (like being 
>> non-residential or something).
>
> The operative phrase being "find a VPS provider whose prefixes are not 
> blacklisted".  :-/
>
> The workaround ~> hack is becoming more and more problematic year after 
> year.

Yeah, I do realise that that particular workaround probably has (had?)
an expiry date :(

-Toke

• Previous message (by thread): IPv6 woes - RFC
• Next message (by thread): IPv6 woes - RFC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]