Do not put IPv4-mapped IPv6 Addresses into AAAA DNS records

RFC 6890 - Special-Purpose IP Address Registries - provides the following table showing that these address should never be seen on a link and are not for Global use.

                 +----------------------+---------------------+
                 | Attribute            | Value               |
                 +----------------------+---------------------+
                 | Address Block        | ::ffff:0:0/96       |
                 | Name                 | IPv4-mapped Address |
                 | RFC                  | [RFC4291]           |
                 | Allocation Date      | February 2006       |
                 | Termination Date     | N/A                 |
                 | Source               | False               |
                 | Destination          | False               |
                 | Forwardable          | False               |
                 | Global               | False               |
                 | Reserved-by-Protocol | True                |
                 +----------------------+---------------------+

                       Table 20: IPv4-Mapped Address

The mistake

A commonly made mistake with DNS and IPv6 is to return an AAAA record of the form ::ffff:x.x.x.x where x.x.x.x is an IPv4 address equal to the A record for the FQDN. This mistake is typically made before the webserver is connected to the IPv6 Internet. This is a clear configuration error, see all the "False" values in the above table, and it can break access to your site for users that have IPv6 access to the Internet, particularly:
  1.  Those going through a NAT64 gateway
  2.  Where the client system does not support dual-stack sockets
FQDNs without native routed IPv6 access to the server must not advertise AAAA records. If there is any AAAA record for the queried FQDN then DNS64 will not synthesise an AAAA record. Normally with DNS64 when a record can be synthesised the network part of the record is a prefix pointing at a NAT64 service listening on the prefix. The final 32 bits of the synthesised record contains the A record that the NAT64 extracts and uses to connect to the legacy IPv4 end-point.

Note that Apple now requires that Apps work with IPv6 and NAT64/DNS64 and it is likely to be an increasingly common method of accessing the legacy Internet through NAT.

If from a host with IPv6 Internet connectivity you can still see a website with an erroneous IPv4-mapped AAAA record it is because the host supports dual-stack sockets (or because the DNS64 server has been configured to ignore the erroneous AAAA record). These hide the DNS configuration error. The packets leaving the host are IPv4, as indeed they must be as the site isn't actually connected to the IPv6 Internet.

Real world example

Here the FQDN and IPv4 have been changed to spare the blushes of the large Irish Financial company that made the mistake. It is still broken at the time of writing.


dig @8.8.8.8 aaaa www.example.ie

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 aaaa www.example.ie
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11888
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.example.ie. IN AAAA

;; ANSWER SECTION:
www.example.ie. 3120 IN AAAA ::ffff:203.0.113.24

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 28 13:34:11 2017
;; MSG SIZE  rcvd: 62

How to avoid the mistake

  1. Do not advertise IPv4-mapped IPv6 Addresses in AAAA DNS records

The correct thing to do

Your server must be connected to the Internet using an IPv6 GUA (Globally Unique Address) routed to your site by your ISP, hosting, or transit providers. The AAAA record must be an IPv6 GUA the website is listening on.




Comments

  1. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Admin Online Training

    ReplyDelete

Post a Comment

Popular posts from this blog

eir Mobile and GoMo now support IPv4v6 and IPv6

IPv6 in eir Fibre broadband

Updates to eir fibre broadband IPv6 support