North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The power of default configurations

  • From: Mark Andrews
  • Date: Thu Apr 07 00:34:56 2005

In article <[email protected]> you write:
>
>
>On 4/6/2005 5:00 PM, Sean Donelan wrote:
>
>> Why does BIND forward lookups for RFC1918 addresses by default?
>
>As has been pointed out already, caches need to be able to ask other
>(local) servers for the PTRs.
>
>OTOH, it might make a good feature (and eventually maybe a BCP) to block
>PTR queries for 1918 space from going to the roots and TLD servers.
>
>-- 
>Eric A. Hall                                        http://www.ehsco.com/
>Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

	The first step in getting these sorts queries stomped on
	in the right places is coming with the rewording of the ULA
	draft DNS Issues section which allows nameservers to default
	to returning rcode 3 (NXDOMAIN/Name Error).

	The next step is to do this as a general draft which covers
	all the different suffixes.

	Mark

4.4 DNS Issues


At the present time AAAA and PTR records for locally assigned local
IPv6 addresses are not recommended to be installed in the global
DNS.

For background on this recommendation, one of the concerns about
adding AAAA and PTR records to the global DNS for locally assigned
Local IPv6 addresses stems from the lack of complete assurance that
the prefixes are unique. There is a small possibility that the same
locally assigned IPv6 Local addresses will be used by two different
organizations both claiming to be authoritative with different
contents. In this scenario, it is likely there will be a connection
attempt to the closest host with the corresponding locally assigned
IPv6 Local address. This may result in connection timeouts, connection
failures indicated by ICMP Destination Unreachable messages, or
successful connections to the wrong host. Due to this concern,
adding AAAA records for these addresses to the global DNS is thought
to be unwise.

Reverse (address-to-name) queries for locally assigned IPv6 Local
addresses MUST NOT be sent to name servers for the global DNS, due
to the load that such queries would create for the authoritative
name servers for the ip6.arpa zone. This form of query load is not
specific to locally assigned Local IPv6 addresses; any current form
of local addressing creates additional load of this kind, due to
reverse queries leaking out of the site. However, since allowing
such queries to escape from the site serves no useful purpose, there
is no good reason to make the existing load problems worse.

The recommended way to avoid sending such queries to nameservers
for the global DNS is for recursive name server implementations to
act as if they were authoritative for an empty d.f.ip6.arpa zone
and return RCODE 3 for any such query. Implementations that choose
this strategy should allow it to be overridden, but returning an
RCODE 3 response for such queries should be the default, both because
this will reduce the query load problem and also because, if the
site administrator has not set up the reverse tree corresponding
to the locally assigned IPv6 Local addresses in use, returning RCODE
3 is in fact the correct answer.