nanog mailing list archives
Re: IPv6 woes - RFC
From: Toke Høiland-Jørgensen via NANOG <nanog () nanog org>
Date: Mon, 06 Sep 2021 13:04:23 +0200
Grant Taylor via NANOG <nanog () nanog org> writes:
Hi Toke, On 9/5/21 3:07 PM, Toke Høiland-Jørgensen via NANOG wrote:Well, that's what I used to do back when I didn't have native v6 and ran into this issue: block v6 at the DNS level. I.e., simply filter out all AAAA records for offending service providers. Pretty simple to setup on your home router (it's usually one or a few TLDs per service provider).I agree that it's not hard to disable AAAA resolution for ... obstinate domains. However, as you say, doing so means breaking DNSSEC more and more often. Of course it's possible to do that, but it's now a second thing that's being done per obstinate domain. :-( I've considered null routing / rejecting IPv6 traffic to prefixes associated with the obstinate domains, but that's not really a set it and forget it thing. Especially if ~> when the obstinate domains use shared hosting thus bring collateral damage into the mix. And yet another (3rd) hack ~> workaround. :-(It does fail if your clients do DNSSEC validation, but if you do that at the router (or not at all) it should just work :)Ya. I've been doing the DNSSEC validation on the LAN local recursive DNS server for this reason.
Yup, me too :)
And yeah, it's an ugly hack that really shouldn't be necessary,Yep. How many ugly hacks does it take before one starts questioning if said ugly hack(s) is (are) the proper thing to do?
Well, I come from a software background, so in my world the whole thing is held together by duct tape and string anyway ;) And while I can agree in principle, the nice thing about hacks is that you can actually get those to *work*, whereas tilting at windmills to get providers to do the right thing is much harder. So ideally you could do both: deploy the hack(s) while waiting to get the proper fix deployed a decade or two from now...
but I found it worked quite well back when I used it (a handful of years ago or so), and it keeps IPv6 active and working for everything else...If you're willing to (break) deal with DNSSEC, yes it does work.Another solution that I've used on occasion is to do your own tunnelling: find a hosting provider that can provide you a VPS with a v6 prefix and do your own tunnelling to that. This works by virtue of being "under the radar" of the service providers that do this kind of broken filtering, providing you can find a VPS provider whose prefixes are not blacklisted for some other reason (like being non-residential or something).The operative phrase being "find a VPS provider whose prefixes are not blacklisted". :-/ The workaround ~> hack is becoming more and more problematic year after year.
Yeah, I do realise that that particular workaround probably has (had?) an expiry date :( -Toke
Current thread:
- Re: if not v6, what?, (continued)
- Re: if not v6, what? Niels Bakker (Sep 07)
- Re: fun with ports, was if not v6, what? John Levine (Sep 07)
- Re: if not v6, what? Masataka Ohta (Sep 07)
- Re: if not v6, what? Mark Andrews (Sep 07)
- Re: if not v6, what? Masataka Ohta (Sep 08)
- Re: if not v6, what? Owen DeLong via NANOG (Sep 08)
- Re: IPv6 woes - RFC Carsten Bormann (Sep 04)
- Re: IPv6 woes - RFC Grant Taylor via NANOG (Sep 05)
- Re: IPv6 woes - RFC Grant Taylor via NANOG (Sep 05)
- Re: IPv6 woes - RFC Toke Høiland-Jørgensen via NANOG (Sep 06)
- Re: IPv6 woes - RFC Masataka Ohta (Sep 06)
- Re: IPv6 woes - RFC Grant Taylor via NANOG (Sep 06)
- Re: IPv6 woes - RFC Toke Høiland-Jørgensen via NANOG (Sep 06)
- Re: IPv6 woes - RFC Mark Andrews (Sep 18)
- Re: IPv6 woes - RFC John Levine (Sep 18)
- Re: IPv6 woes - RFC Owen DeLong via NANOG (Sep 18)
- Re: IPv6 woes - RFC Stephen Satchell (Sep 18)
- Re: IPv6 woes - RFC John Levine (Sep 19)