On 18.11.25 18:57, Petr Menšík via bind-users wrote:
I think IPv6 link-local addresses in general do not work in general,
because they need also interface scope_id parameter for initiating
connection to that address.
I think resolvers should in general block any link-local addresses
from anywhere. It works on Linux with mdns only (it can assign correct
interface scope_id), never over DNS unicast responses.
I would prefer not doing this over RPZ, but by common option toggle in
configuration. I cannot see a reason why would anyone want it enabled
by default.
I am not sure whether any qualification "this IP should not be in DNS"
should be part of BIND server or resolver.
IP usage can change over time, IP ranges can get added and their usage can
change over time.
On 07.11.25 12:52, Crist Clark wrote:
I still don't understand why an RPZ entry of,
10.zz.fe80. IN CNAME *.
Doesn't work for you. Is there a reason you just want to block IPv6 LL
addresses for this domain but allow for others?
On 17/11/2025 16:18, Matus UHLAR - fantomas wrote:
There's one more reason - in of domain pointing to linklocal address
space, I believe it's better to block access to the domain at proxy
level (as done by default).
I needed to allow this one particular domain, the rest would better
be blocked as suspicious.
Can you share how are these addresses used? I think it can work only
for specification of listening IP address. But then it should not need
DNS protocol to resolve it. Would be enough nsswitch plugin used
before dns?
The default squid configuration file contains this line:
http_access deny to_linklocal
which originally "caused" the problem because soratool.sh IPv6 points to
linklocal address, while IPv4 is public.
So far I haven't encountered other case of linklocal addresses, but should
that happen, I'd prefer the rule above to kick in.
(unless we verify it's intentional and good)
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
