In article <20190925000333.ade8717b0...@fafnir.remote.dragon.net> you write: >marka> DNS servers that are expected to be reached across sites need to >marka> be globally unique addresses which ULA and LL are not. > >The IP address clients use to reach the resolver doesn't have to be the >same one that the resolver uses as source address when it queries. And >it's not uncommon to have an externally exposed recursive resolver on >the public side of a corporate firewall with queries from an internal >resolver being forwarded.
Right. My resolver has a public v6 address, a LL, and a ULA. It sends outgoing queries on the public address but only responds to queries on the LL and ULA. The ULA works great, makes it harder for random outsiders to try to abuse it even if the ULA leaks outside my network. The LL sort of works, in clients with resolvers that understand link scoping, and not at all on hosts on my other network segment. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations