Do not put IPv4-mapped IPv6 Addresses into AAAA DNS records

RFC 6890 - Special-Purpose IP Address Registries - provides the following table showing that these address should never be seen on a link and are not for Global use.

                 +----------------------+---------------------+
                 | Attribute            | Value               |
                 +----------------------+---------------------+
                 | Address Block        | ::ffff:0:0/96       |
                 | Name                 | IPv4-mapped Address |
                 | RFC                  | [RFC4291]           |
                 | Allocation Date      | February 2006       |
                 | Termination Date     | N/A                 |
                 | Source               | False               |
                 | Destination          | False               |
                 | Forwardable          | False               |
                 | Global               | False               |
                 | Reserved-by-Protocol | True                |
                 +----------------------+---------------------+

                       Table 20: IPv4-Mapped Address

The mistake

A commonly made mistake with DNS and IPv6 is to return an AAAA record of the form ::ffff:x.x.x.x where x.x.x.x is an IPv4 address equal to the A record for the FQDN. This mistake is typically made before the webserver is connected to the IPv6 Internet. This is a clear configuration error, see all the "False" values in the above table, and it can break access to your site for users that have IPv6 access to the Internet, particularly:
  1.  Those going through a NAT64 gateway
  2.  Where the client system does not support dual-stack sockets
FQDNs without native routed IPv6 access to the server must not advertise AAAA records. If there is any AAAA record for the queried FQDN then DNS64 will not synthesise an AAAA record. Normally with DNS64 when a record can be synthesised the network part of the record is a prefix pointing at a NAT64 service listening on the prefix. The final 32 bits of the synthesised record contains the A record that the NAT64 extracts and uses to connect to the legacy IPv4 end-point.

Note that Apple now requires that Apps work with IPv6 and NAT64/DNS64 and it is likely to be an increasingly common method of accessing the legacy Internet through NAT.

If from a host with IPv6 Internet connectivity you can still see a website with an erroneous IPv4-mapped AAAA record it is because the host supports dual-stack sockets (or because the DNS64 server has been configured to ignore the erroneous AAAA record). These hide the DNS configuration error. The packets leaving the host are IPv4, as indeed they must be as the site isn't actually connected to the IPv6 Internet.

Real world example

Here the FQDN and IPv4 have been changed to spare the blushes of the large Irish Financial company that made the mistake. It is still broken at the time of writing.


dig @8.8.8.8 aaaa www.example.ie

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 aaaa www.example.ie
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11888
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.example.ie. IN AAAA

;; ANSWER SECTION:
www.example.ie. 3120 IN AAAA ::ffff:203.0.113.24

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 28 13:34:11 2017
;; MSG SIZE  rcvd: 62

How to avoid the mistake

  1. Do not advertise IPv4-mapped IPv6 Addresses in AAAA DNS records

The correct thing to do

Your server must be connected to the Internet using an IPv6 GUA (Globally Unique Address) routed to your site by your ISP, hosting, or transit providers. The AAAA record must be an IPv6 GUA the website is listening on.




Comments

  1. Unknown9 October 2018 at 04:00

    Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Admin Online Training

    ReplyDelete

Post a Comment

Popular posts from this blog

eir Mobile and GoMo now support IPv4v6 and IPv6

APNs data.myeirmobile.ie and broadband.myeirmobile.ie now also support IPv4v6 and IPv6 connections. To manually update a phone to also have IPv6 connectivity edit the APN protocol to "IPv6" or "IPv4/IPv6". Most Android phones let the APN protocol be edited. Apple iOS phones do not let this setting be edited by the user. Existing phones of all types will continue to request IPv4 connections until their software/configuration settings have been updated to request IPv4v6 or IPv6. In all cases phones will continue to have IPv4 connectivity even when the requested APN protocol is "IPv6". More technical details IPv6 end-to-end traffic bypasses the network NAT. The IPv6 DNS servers advertised by the eir network generate DNS64 AAAA responses to DNS queries made over IPv6 transport. i.e. DNS IPv6 AAAA records are synthesised for FQDNs that only have IPv4 A records. IPv4v6 is dual stack, the UE (User Equipment e.g. a smartphone) requests both an IPv4 address and an...
Read more

IPv6 in eir Fibre broadband

The F2000 modem supports dual-stack Internet access. Modem WAN Interface The modem has to request IPv6  in addition to the old IPv4. IPv6 is provided in parallel with IPv4 in native Dual-Stack mode (neither DS-Lite or 6RD modes are used). The F2000 modem's DHCPv6 client requests a delegated prefix (IA_PD) from the network. The network DHCPv6 server responds with an Advertise message containing the delegated prefix with a valid-lifetime of 1 hour. The same prefix will be assigned as long as the modem is connected. If the modem is disconnected for 1 hour or sends a Release message (e.g. when set to IPv4 only) a different delegated prefix will be The Internet's assigned on a subsequent request. Modem LAN/WiFi Interface There's nothing to do on the LAN/WiFi side , it is all automatic. The modem selects a fixed /64 prefix from the delegated prefix and uses SLAAC to provide IPv6 addresses to connected wired and WiFi devices. The remainder of the delegated prefix is rese...
Read more

Updates to eir fibre broadband IPv6 support

Delegated Prefix lease persistency enhanced To help prevent changes to the Delegated Prefix assigned to a requesting DHCPv6 client the DHCPv6 server now remembers the lease for 15 minutes after the lease has timed out. The server also remembers the lease even when the client sends a solicited-release for it. This lets the router be reconfigured without losing its lease. Leases are bound to the MAC address of the requesting router's WAN interface. If the router's WAN interface MAC changes a different Delegated Prefix will be assigned. A typical example of when this occurs is a router swap. If a different Delegated Prefix is desired; turn the client router off for 75 minutes so that the lease also times out at the DHCPv6 server. F2000 firmware update B050 This minor update began rolling out in mid August 2018. It improves the reliability of the IPv6 connection. Specifically B050 fixes a bug in the DHCPv6 client which can occur if the WAN link goes down and comes back u...
Read more