Do not put IPv4-mapped IPv6 Addresses into AAAA DNS records
RFC 6890 - Special-Purpose IP Address Registries - provides the following table showing that these address should never be seen on a link and are not for Global use.
If from a host with IPv6 Internet connectivity you can still see a website with an erroneous IPv4-mapped AAAA record it is because the host supports dual-stack sockets (or because the DNS64 server has been configured to ignore the erroneous AAAA record). These hide the DNS configuration error. The packets leaving the host are IPv4, as indeed they must be as the site isn't actually connected to the IPv6 Internet.
+----------------------+---------------------+ | Attribute | Value | +----------------------+---------------------+ | Address Block | ::ffff:0:0/96 | | Name | IPv4-mapped Address | | RFC | [RFC4291] | | Allocation Date | February 2006 | | Termination Date | N/A | | Source | False | | Destination | False | | Forwardable | False | | Global | False | | Reserved-by-Protocol | True | +----------------------+---------------------+ Table 20: IPv4-Mapped Address
The mistake
A commonly made mistake with DNS and IPv6 is to return an AAAA record of the form ::ffff:x.x.x.x where x.x.x.x is an IPv4 address equal to the A record for the FQDN. This mistake is typically made before the webserver is connected to the IPv6 Internet. This is a clear configuration error, see all the "False" values in the above table, and it can break access to your site for users that have IPv6 access to the Internet, particularly:
Note that Apple now requires that Apps work with IPv6 and NAT64/DNS64 and it is likely to be an increasingly common method of accessing the legacy Internet through NAT.
- Those going through a NAT64 gateway
- Where the client system does not support dual-stack sockets
Note that Apple now requires that Apps work with IPv6 and NAT64/DNS64 and it is likely to be an increasingly common method of accessing the legacy Internet through NAT.
If from a host with IPv6 Internet connectivity you can still see a website with an erroneous IPv4-mapped AAAA record it is because the host supports dual-stack sockets (or because the DNS64 server has been configured to ignore the erroneous AAAA record). These hide the DNS configuration error. The packets leaving the host are IPv4, as indeed they must be as the site isn't actually connected to the IPv6 Internet.
Real world example
Here the FQDN and IPv4 have been changed to spare the blushes of the large Irish Financial company that made the mistake. It is still broken at the time of writing.
dig @8.8.8.8 aaaa www.example.ie
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 aaaa www.example.ie
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11888
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.example.ie. IN AAAA
;; ANSWER SECTION:
www.example.ie. 3120 IN AAAA ::ffff:203.0.113.24
;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 28 13:34:11 2017
;; MSG SIZE rcvd: 62
How to avoid the mistake
- Do not advertise IPv4-mapped IPv6 Addresses in AAAA DNS records
The correct thing to do
Your server must be connected to the Internet using an IPv6 GUA (Globally Unique Address) routed to your site by your ISP, hosting, or transit providers. The AAAA record must be an IPv6 GUA the website is listening on.
Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Admin Online Training
ReplyDelete