IPv4 in IPv6 in AAAA records

Phil Howard phil-nsd-users at ipal.net
Tue Aug 24 17:33:43 UTC 2004 

On Tue, Aug 24, 2004 at 10:45:08AM +0100, Colm MacCarthaigh wrote:

| On Mon, Aug 23, 2004 at 06:33:15PM -0500, Phil Howard wrote:
| > An address expressed like ::ffff:209.102.192.73 could be used on a system
| > that has only IPv6 implemented, or only has IPv6 reachability, or has a
| > LAN that is limited to IPv6, and such an address can be converted to IPv4
| > at some point between that machine's stack (inclusive) to that network's
| > gateway (NAT), and go out over the rest of the net as IPv4.
| 
| Absolutely not! As Itojun sais, ::ffff addresses are supposed to be
| local to a host only, they are never to appear on the wire, see
| his ID for reasons why this is a bad thing:
| 
|  http://www.join.uni-muenster.de/Dokumente/drafts/draft-itojun-v6ops-v4mapped-harmful-02.txt
| 
| What you are describing is almost like a relay translator, see:
| 
|  http://www.faqs.org/rfcs/rfc3142.html
| 
| But this is a layer 3 device, doing it in layer 2 won't really work
| reliabily (because of header incompatibilities). And it uses the C6::/64
| prefix.
| 
| > Getting back to DNS, it's also a way to query a single record type once
| > and get an address that says "Use IPv4 instead, and here's the address".
| > 
| > Should any of what I describe not be done, or be done some other way?
| 
| You're just using the wrong prefix is all :) ::ffff is for host-only
| translation, a well-configured host should deny any packets with this
| prefix to come in over the wire.

I'm not proposing ::ffff go "over the wire" if we define "the wire" as
being the public routing space.  As such, no need exists for a unicast
address space as the TRT proposal suggests.  The existing ::ffff can do
the job, and won't have the risks Metz and Hagino suggest when done right.
If ::ffff goes over my local LAN, that's my business; there is no need for
the redundant c6::/64 assignment for it.

But in nsd-users, the on-topic issue is whether ::ffff should be supported
in AAAA records ... specifically with dotted-quad-suffix syntax.  I want
to hear reasons why that should not be allowed.  Whether ::ffff should be
allowed in packets should be a layer 2 issue, not a DNS issue.  If comes
to pass that there is no use for ::ffff then whether it works, and is
convenient to use, in zonec is moot.  But if in the end it is decided that
c6::/64 is the way to go, you still need the dotted-quad-suffix support.

-- 
-----------------------------------------------------------------------------
| Phil Howard KA9WGN       | http://linuxhomepage.com/      http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/   http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------

More information about the nsd-users mailing list