Hello,
I maintain squid proxy server which (by default) disallows connecting to
hosts in the linklocal network (I'd say standard security practice).
We have problem with DNS name that has public IPv4 address but private IPv6:
soratool.ch. 179 IN A 160.85.67.44
soratool.ch. 168 IN AAAA fe80::250:56ff:feaa:f5dc
fe80::/10 is linklocal address first described in Feb 2006 in RFC 4291.
Seems that the domain maintainer does not want to fix this (...)
To make it work I can redefine the policy in proxy server that disables the
rule banning linklocal address to allow this particular domain.
However, I would prefer not to do this on proxy level.
Is there a possibility to override the AAAA record using RPZ?
From what I found, it should be possible to drop IPv6 addresses in fe80::/10
by defining
10.0.0.0.0.0.0.0.fe80.ns-ip CNAME .
which would drop all responses pointing to linklocal address.
Is that correct?
Or, better, is it possible only to override AAAA for this particular domain?
Thanks
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
