I think IPv6 link-local addresses in general do not work in general,
because they need also interface scope_id parameter for initiating
connection to that address.
I think resolvers should in general block any link-local addresses from
anywhere. It works on Linux with mdns only (it can assign correct
interface scope_id), never over DNS unicast responses.
I would prefer not doing this over RPZ, but by common option toggle in
configuration. I cannot see a reason why would anyone want it enabled by
default.
On 17/11/2025 16:18, Matus UHLAR - fantomas wrote:
Hello,
On 07.11.25 12:52, Crist Clark wrote:
I still don't understand why an RPZ entry of,
10.zz.fe80. IN CNAME *.
Doesn't work for you. Is there a reason you just want to block IPv6 LL
addresses for this domain but allow for others?
There's one more reason - in of domain pointing to linklocal address
space, I believe it's better to block access to the domain at proxy
level (as done by default).
I needed to allow this one particular domain, the rest would better be
blocked as suspicious.
Can you share how are these addresses used? I think it can work only for
specification of listening IP address. But then it should not need DNS
protocol to resolve it. Would be enough nsswitch plugin used before dns?
On 07.11.25 19:11, Lee wrote:
because it's missing rpz-ip?
I've got
; return NXDOMAIN for any ipv6 link local address answer
10.zz.fe80.rpz-ip CNAME . ; FE80::/10
and it doesn't work for me :(
On 09.11.25 09:10, Nick Tait via bind-users wrote:
This works for me (BIND 9.20.11):
10.zz.fe80.rpz-ip IN CNAME *.
(You need to rewrite using NODATA, rather than NXDOMAIN.)
Thanks guys, you helped me.
I've had to search for some more complete description to RPZ so I
could feed like I know what I'm doing.
Searching the internet for "rpz dns" produced many results describing
what does it do, but not many of them gave detailed list of options..
Searching for "bind rpz" produced this document:
https://www.isc.org/docs/BIND_RPZ.pdf
- which unfortunately shows "ns-ip" instead of "rpz-ip" which quite
confused me.
Looking at section 6.9 of the ARM produces the teoretical information
I found insufficient when browsing the net.
Finally, the docs are buried in BIND arm REFERENCE (8.2.3.15)
https://bind9.readthedocs.io/en/latest/reference.html#response-policy-zone-rpz-rewriting
and I can confirm this works, although globally for all responses.
Thanks for cooperation.
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
