This may be a little off-topic for DNSOP, but has anyone considered submitting Errata for RFC 4291 to add the word "physical" before the word "interface" to the sentence
"A packet received on an interface with a destination address of loopback must be dropped" ? Because, as it stands, if taken literally, even packets to lo0 should be discarded, thus effectively transforming so-called "IPv6 loopback" into "IPv6 sinkhole", and leaving no formal address assignment whatsoever for true *loopback* functions in IPv6. Be that as it may, since the "reservation" of the entire ::/8 block in http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml isn't backed up by any corresponding /8-level definition in http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml, I think the portions of ::/8 not mentioned in the latter registry are legitimately available for loopback purposes. Just don't put any packets on the wire with source or dest addresses in that range. Or, as Mark said, just use a ULA address configured on a local interface. - Kevin -----Original Message----- From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Paul Vixie Sent: Wednesday, September 30, 2015 9:47 PM To: John Levine Cc: e...@isc.org; dnsop@ietf.org Subject: Re: [DNSOP] Brian Haberman's No Record on draft-ietf-dnsop-root-loopback-04: (with COMMENT) John Levine wrote: >> It should be easy enough to create a local alias address for the >> purpose though. "ifconfig lo inet6 add ::2 alias", salt to taste. > > Uh, no. The *only* loopback address is ::1. The rest of 0000::/8 is > reserved. right. just like 127.0.0.0/8 is reserved. yet i use 127.0.0.2, .3, and so on, all the time. i think it's probably safe to intrude on this "reservation" for this use case. > If you have a loopback software interface, you could set up a link > local address like fe80::1, but now your DNS software has to > understand link scoped addresses like fe80::1%lo. > > Having set up a DNS cache on my LAN using link local IPv6 addresses, I > can report that it doesn't work very well. agreed. > All in all, I think the advice to stick with IPv4 loopback addresses > is reasonable. We can revisit this in 2050 when IPv4 is starting to > be phased out. disagreed. ipv4 should die a-s-a-p. don't bring up any new ipv4 services unless you are sure they have to talk to the legacy internet. which is demonstrably not the case for localhost dns service. now you don't see it: root@family:/home/vixie # ifconfig lo0 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> now you do: root@family:/home/vixie # ifconfig lo0 inet6 ::2/128 alias root@family:/home/vixie # ifconfig lo0 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 inet6 ::2 prefixlen 128 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> ntpd is a grabby little thing: root@family:/home/vixie # netstat -an | grep :: tcp6 0 0 ::1.465 *.* LISTEN tcp6 0 0 ::1.587 *.* LISTEN tcp6 0 0 ::1.25 *.* LISTEN tcp6 0 0 ::1.993 *.* LISTEN tcp6 0 0 ::1.143 *.* LISTEN tcp6 0 0 ::1.995 *.* LISTEN tcp6 0 0 ::1.110 *.* LISTEN udp6 0 0 ::2.123 *.* udp6 0 0 fe80::1%lo0.123 *.* udp6 0 0 ::1.123 *.* udp6 0 0 fe80::2a0:98ff:f.123 *.* i had to alter these lines of my ipfw configuration: add pass all from any to any via lo0 add deny all from any to { ::1 or 127.0.0.0/8 } add deny ip from { ::1 or 127.0.0.0/8 } to any they now read: add pass all from any to any via lo0 add deny all from any to { ::1 or ::2 or 127.0.0.0/8 } add deny ip from { ::1 or ::2 or 127.0.0.0/8 } to any i had to add a line to ntp.conf: restrict -6 ::1 restrict -6 ::2 noting, the other lines in that vicinity tell us things about 127.0.0.0/8 that the IETF might not know: restrict 127.127.1.0 but anyway, it works: root@family:/home/vixie # ntpq -p ::2 remote refid st t when poll reach delay offset jitter ============================================================================== mm1.redbarn.org 108.61.194.85 3 u 1 64 1 0.287 3.617 0.075 ks.redbarn.org 208.75.88.4 3 u 2 64 1 1.171 -0.744 0.000 -- Paul Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
