-
-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement block_aaaa similar to block_a #884
base: master
Are you sure you want to change the base?
Conversation
Reason behind this is that certain ancient apps get confused with IPv6 and stuff, so offer possibility to make them work too.
nice implemetation |
Any change to get this merged? |
I actually made a good use of this for sites and domains that are too restrictive and would ban outright public IPv6 tunnel brokers for example (as I "sit" on one of them) together with netfilter filtering aswell. |
Gentle ping :) Could we look to merge this? This is quite similar to the block_a zone-type implementation and would help our network a fair bit too! |
@wcawijngaards Please! |
The item belongs to @Philip-NLnetLabs . And he tells me that he does not want it because it breaks DNSSEC. DNSSEC would not work for downstream validators. The code looks nice otherwise. |
But it do same as |
I've not read how this breaks DNSSEC but the fix for this should be identical for both |
Hello |
Ended up here because "private-address: ::/0" seems to be breaking some clients as it seems to return SERVFAIL adding that line...and i want no IPv6 addresses because my ISP doesn't do IPv6 and so clients take ages timing out on IPv6 before they use IPv4 We REALLY need some way to block IPv6 addresses in DNS when you know the ISP doesn't support DNS so that clients don't lag trying to connect to something it will never successfully reach. |
@mmiller7 , if you need something global (and not per domain functionality that this issue is about) you can use:
|
Oh cool, I haven't found that anywhere else...did seem to do the trick! |
@Philip-NLnetLabs - sorry for the repeated pings but what do you think about this proposal? This is identical to an existing feature If there's a concern about this working with DNSSEC, I think this is already broken with |
Why not rework the patch to fix the DNSSEC issues first? |
Thanks for the response, Philip! Is there any documentation around the breakage for DNSSEC? Apart from the comment above by Wouter, I don't think this has been documented anywhere. If the fix is straight-forward, maybe we can fix it as part of this PR. If this is a complex fix, I'd suggest again that we track it separately since noone has raised concerns with What do you think? |
For DNSSEC, there are two things that need to be done, preferably with additional tests to show that it works:
|
Reason behind this is that certain ancient apps
get confused with IPv6 and stuff, so offer possibility to make them work too.