Re: DiG "unexpected source" with a Subnet-Router anycast address

[Kevin Darcy]

On 9/9/2011 5:15 AM, François-Xavier Le Bail wrote:
--- On Wed, 9/7/11, Kevin Darcy<k...@chrysler.com>  wrote:
Why are you trying to use the SRAA
for DNS resolution? SRAA has a
special meaning to network-infrastructure devices; I don't
think it was
ever intended for anycasting general network services. Just
pick one of
your global-unicast address, and anycast that instead.
We are testing a setup where the DNS querier don't know the GUA
but know the prefix (the GUA is EUI-64 generated, based on prefix).
The SRAA seems perfect for this use case.
Well, it appears that you managed to select the one anycast address out 
of the quintillions that are available in IPv6 that you've proven 
*won't*work* for the purpose you need.

Pick something else in the Global Unicast range and be happy. Arrange 
the EUI-64 bits in appropriate ways if you need to (or just use a 
randomly-generated IA and call it a "privacy extension" :-)
Dig could have an option for "unexpected source" control based on the prefix to 
manage SRAA case.
No, relaxing the response-source rule for *any* DNS resolver leads to 
erroneous query results and response-spoofing opportunities. The rule 
exists for good reasons.

You should either a) pursue with your network hardware vendor why its 
device is responding to a query to the SRAA with a different source 
address, thus breaking the rules of DNS resolution, or b) select a 
working resolver address in the Global Unicast range and be happy.

                                                                        
                                                                        
        - Kevin
[...]

Note that RFC 4291 obsoletes RFC 3513 which obsoletes RFC
2373.
Right, but no changes about "Subnet-Router anycast address" in RFC 4291.
Agreed, I was just pointing you to the latest revision of the document.

                                                                        
                                                                        
- Kevin
Francois-Xavier

On 9/7/2011 10:48 AM, François-Xavier Le Bail wrote:
Hello,

I send with DiG 9.7.3 a request to a router/DNS
forwarder with the Subnet-Router anycast address of the
router (SRAA, RFC 2373, § 2.6.1).
The answer is :
reply from unexpected source:<GUA of the
router>#53, expected<SRAA>#53
Is there an option to relax the IPv6 address
request/reply control for this use case ?
Best regards,
François-Xavier Le Bail






_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users