Grant Taylor via NANOG <nanog@nanog.org> writes: > Hi Toke, > > On 9/5/21 3:07 PM, Toke Høiland-Jørgensen via NANOG wrote: >> Well, that's what I used to do back when I didn't have native v6 and >> ran into this issue: block v6 at the DNS level. I.e., simply filter >> out all AAAA records for offending service providers. Pretty simple >> to setup on your home router (it's usually one or a few TLDs per >> service provider). > > I agree that it's not hard to disable AAAA resolution for ... obstinate > domains. However, as you say, doing so means breaking DNSSEC more and > more often. Of course it's possible to do that, but it's now a second > thing that's being done per obstinate domain. :-( > > I've considered null routing / rejecting IPv6 traffic to prefixes > associated with the obstinate domains, but that's not really a set it > and forget it thing. Especially if ~> when the obstinate domains use > shared hosting thus bring collateral damage into the mix. And yet > another (3rd) hack ~> workaround. :-( > >> It does fail if your clients do DNSSEC validation, but if you do that >> at the router (or not at all) it should just work :) > > Ya. I've been doing the DNSSEC validation on the LAN local recursive > DNS server for this reason.
Yup, me too :) >> And yeah, it's an ugly hack that really shouldn't be necessary, > > Yep. How many ugly hacks does it take before one starts questioning if > said ugly hack(s) is (are) the proper thing to do? Well, I come from a software background, so in my world the whole thing is held together by duct tape and string anyway ;) And while I can agree in principle, the nice thing about hacks is that you can actually get those to *work*, whereas tilting at windmills to get providers to do the right thing is much harder. So ideally you could do both: deploy the hack(s) while waiting to get the proper fix deployed a decade or two from now... >> but I found it worked quite well back when I used it (a handful of >> years ago or so), and it keeps IPv6 active and working for everything >> else... > > If you're willing to (break) deal with DNSSEC, yes it does work. > >> Another solution that I've used on occasion is to do your own >> tunnelling: find a hosting provider that can provide you a VPS >> with a v6 prefix and do your own tunnelling to that. This works by >> virtue of being "under the radar" of the service providers that do >> this kind of broken filtering, providing you can find a VPS provider >> whose prefixes are not blacklisted for some other reason (like being >> non-residential or something). > > The operative phrase being "find a VPS provider whose prefixes are not > blacklisted". :-/ > > The workaround ~> hack is becoming more and more problematic year after > year. Yeah, I do realise that that particular workaround probably has (had?) an expiry date :( -Toke
