IPv6 woes - RFC
Toke Høiland-Jørgensen
toke at toke.dk
Mon Sep 6 11:04:23 UTC 2021
Grant Taylor via NANOG <nanog at nanog.org> writes:
> Hi Toke,
>
> On 9/5/21 3:07 PM, Toke Høiland-Jørgensen via NANOG wrote:
>> Well, that's what I used to do back when I didn't have native v6 and
>> ran into this issue: block v6 at the DNS level. I.e., simply filter
>> out all AAAA records for offending service providers. Pretty simple
>> to setup on your home router (it's usually one or a few TLDs per
>> service provider).
>
> I agree that it's not hard to disable AAAA resolution for ... obstinate
> domains. However, as you say, doing so means breaking DNSSEC more and
> more often. Of course it's possible to do that, but it's now a second
> thing that's being done per obstinate domain. :-(
>
> I've considered null routing / rejecting IPv6 traffic to prefixes
> associated with the obstinate domains, but that's not really a set it
> and forget it thing. Especially if ~> when the obstinate domains use
> shared hosting thus bring collateral damage into the mix. And yet
> another (3rd) hack ~> workaround. :-(
>
>> It does fail if your clients do DNSSEC validation, but if you do that
>> at the router (or not at all) it should just work :)
>
> Ya. I've been doing the DNSSEC validation on the LAN local recursive
> DNS server for this reason.
Yup, me too :)
>> And yeah, it's an ugly hack that really shouldn't be necessary,
>
> Yep. How many ugly hacks does it take before one starts questioning if
> said ugly hack(s) is (are) the proper thing to do?
Well, I come from a software background, so in my world the whole thing
is held together by duct tape and string anyway ;)
And while I can agree in principle, the nice thing about hacks is that
you can actually get those to *work*, whereas tilting at windmills to
get providers to do the right thing is much harder. So ideally you could
do both: deploy the hack(s) while waiting to get the proper fix deployed
a decade or two from now...
>> but I found it worked quite well back when I used it (a handful of
>> years ago or so), and it keeps IPv6 active and working for everything
>> else...
>
> If you're willing to (break) deal with DNSSEC, yes it does work.
>
>> Another solution that I've used on occasion is to do your own
>> tunnelling: find a hosting provider that can provide you a VPS
>> with a v6 prefix and do your own tunnelling to that. This works by
>> virtue of being "under the radar" of the service providers that do
>> this kind of broken filtering, providing you can find a VPS provider
>> whose prefixes are not blacklisted for some other reason (like being
>> non-residential or something).
>
> The operative phrase being "find a VPS provider whose prefixes are not
> blacklisted". :-/
>
> The workaround ~> hack is becoming more and more problematic year after
> year.
Yeah, I do realise that that particular workaround probably has (had?)
an expiry date :(
-Toke
More information about the NANOG
mailing list